Is the configuration I'm using correct?
When I modified this reduced cxf-ws-security which I described below and
which worked, by changing the key that server uses (through
signaturePropFile) it still worked while the key on server side wasn't
matching the client private key.
Does server really uses the key from signaturePropFile to verify the
signature on incoming message?
What's the role of BinarySecurityToken in incoming message then?
Lukasz L. wrote:
>
> Hi Ashwin,
>
> let me explain what I'm intending to do
> 1) I want to sign the message on client's side in order for server to
> verify the sender and also verify that message content wasn't changed (I
> do not care about it if someone can read the message).
> I want the client to use private key to generate the signature and server
> to use client's public key to verify the signature
> 2) I believe that in order to do it I need to use action="Signature"
> 3) By one way I mean that only client puts its signature and the server
> verifies it (server just send the response without any security
> mechanisms)
> 4) Because it's one way we care only about client's OUT and server's IN
> wss4j interceptors
>
>
> I reduced the cxf-ws-security example to implement only above scenario and
> it works.
> Here's the reduced configuration:
>
> CXF consumer In interceptor:
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
> id="TimestampSignEncrypt_Request">
> <constructor-arg>
> <map>
> <entry key="action" value="Signature"/>
> <entry key="signaturePropFile" value="alice.properties"/>
> <entry key="passwordCallbackClass"
> value="org.apache.servicemix.samples.cxf_ws_security.KeystorePasswordCallback"/>
> </map>
> </constructor-arg>
> </bean>
>
> Client's Out interceptor:
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
> id="TimestampSignEncrypt_Request">
> <constructor-arg>
> <map>
> <entry key="action" value="Signature"/>
> <entry key="user" value="alice"/>
> <entry key="signaturePropFile" value="alice.properties"/>
> <entry key="signatureKeyIdentifier"
> value="DirectReference"/>
> <entry key="passwordCallbackClass"
> value="org.apache.servicemix.samples.cxf_ws_security.KeystorePasswordCallback"/>
> <entry key="signatureParts"
> value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
> </map>
> </constructor-arg>
> </bean>
>
> I check what is sent and indeed XML Digital signature is sent.
>
> Now my problem is that I don't know why it works in terms of keys
> (keystores) because I don't know what's inside. I guess that in my
> scenario client need to have private key and the server need to have
> client's public key but when I tried to change the keys to ones generated
> by myself I got an error on server side saying that signature wasn't
> verified.
>
> In this example I use only alice.properties that is alice.jks (so it is in
> this example) and I guess it contains both public and private key, is that
> correct?
> In reality you'll have these keys separated, so how to change this example
> to do it?
>
--
View this message in context:
http://www.nabble.com/CXF-WSS-example-tp20857457p20978406.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
