I was referred to this list, from Daniel Kulp from the CXF list. Here is what i'm trying to do:
I want to be able to accept an signed (not encrypted) message without having the public key in my keystore prior to someone calling me. I have a service available that i can go and get all the public keys for anyone, but i want to do that on demand, so that i don't have to maintain a local key store. How could one go about doing this? I wouldn't mind using a local key store to cache copies of the public key once i looked them up once, but i don't want to have to have the key prior to them calling me. (Also I have a certificate revocation list, that i want to validate against, which i could do at this point or later in the process). He stated that i should look at implementing a org.apache.ws.security.components.crypto.Crypto Do you have any suggestions on where i should start? Or is this not the right approach? My use case is that we have a central group that manages x509 certs and "flags" for applications for authorization purposes. So i was going to use the x509 signature for authentication, then lookup in ldap the flags on their account for authorization. (the authorization i was going to do later in a CXF interceptor) Thanks in advance, Cole ---------- Forwarded message ---------- From: Daniel Kulp <[email protected]> Date: Thu, Dec 3, 2009 at 12:09 PM Subject: Re: Question about x509 certificates To: [email protected] Cc: Cole Ferrier <[email protected]> On Wed December 2 2009 6:36:11 pm Cole Ferrier wrote: > I've done some basic testing and setup with x509 certificates, but i have a > few requirements that i'm trying to figure out how i could implement. > > 1) I want to be able to accept an signed (not encrypted) message without > having the public key in my keystore prior to someone calling me. > I have a service available that i can go and get all the public keys for > anyone, but i want to do that on demand, so that i don't have to maintain a > local key store. How could one go about doing this? This PROBABLY should be redirected to the WSS4J list. I THINK the only way to do this would be to write your own org.apache.ws.security.components.crypto.Crypto object that implements all the needed methods. That's the class that WSS4J uses to handle all the key manipulation and such. You would set your classname in the properties file instead of the Merlin version. > 2) Then of course i need to check a revocation list, so i'm assuming i > could just use an interceptor to go and check that? or?? An interceptor could work here. Alternatively, the Crypto object you create above could just throw an exception if a revoked cert is asked for. > 3) then the question comes to authorization, (since i've already done the > above to validate that i know who they are.. ) Should this be done in a > separate interceptor? I am talking i want to authorize at the per service > layer or operation, not at the whole application.. > How early should i try to do this.. i think i was able to get what the > user is doing on what interface > message.get(Message.WSDL_OPERATION) > message.get(Message.WSDL_INTERFACE) > and who the user is: > //ignore the ugly code > Vector v = (Vector) message.get(WSHandlerConstants.RECV_RESULTS); > WSSecurityEngineResult r = (WSSecurityEngineResult) > ((WSHandlerResult) v.get(0)).getResults().get(0); > WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal) > r.get(WSSecurityEngineResult.TAG_PRINCIPAL); > > then i could take the user and what they are doing and validate that they > are authorized for that operation. > > Right now i tried this at the Phase.USER_LOGICAL and it seems to work, is > this the right place for that? Yep. You can simplify a bit by doing: SecurityContext sc = msg.get(SecurityContext.class); Principal p = sc.getUserPrincipal(); > If anyone has had to do anything like this and has sample code, i'd > appreciate it. > > Cole > -- Daniel Kulp [email protected] http://www.dankulp.com/blog
