Subject: WS-Security Encryption/Decryption Advice Hi guys,
I'm currently developing a secure webservices scenario using Apache CXF/WSS4J. We require all messages to be signed and encrypted. This includes both messages to and from the server. I have gone through all the WS-Security examples in the Apache CXF Samples directory and have been able to get most of this functionality going. However, I can't seem to figure out how to encrypt messages going back to the client, using the public certificate that is provided in the inbound message's SOAP Header. To expand on this, the following is how it should work: 1. Client uses private key to generate signature and puts their public certificate into the SOAP Header 2. Client uses server's public key to encrypt message 3. Client sends message to server 4. Server decrypts message with server's private key 5. Server extracts clients public certificate from SOAP Header and verifies validity with CA's public key 6. Server uses clients public certificate from SOAP Header to verify signature 7. Server generates response message 8. Server uses private key to generate signature and puts their public certificate into the SOAP Header 9. Server uses clients public certificate (from inbound SOAP Header) to encrypt the signed message 10. Server sends message client 11. Client decrypts message with their private key 12. Client extracts server's public certificate from SOAP Header and verifies validity with CA's public key 13. Client uses signing certificate from SOAP Header to verify signature I have got most of this already working. However, how to do step 9 is not clear to me and I am seeking some advice on how to do this. My existing implementation uses the following applicationContext.xml files: Client: http://pastebin.com/DQJadG7p Server: http://pastebin.com/cu3gVxSu Thanks for your help! Regards, sebastian.
