I wrote a ws-security service that works very well so far. I have just one problem. My service can only be user from a single client... that is because of the service-config.xml where I need to name the explicit user I want the outgoing message encrypted for. My beans for the service look like this
<bean id="TimestampSignEncrypt_Request" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<!-- Use this action order for local clients -->
<entry key="action" value="Timestamp Signature Encrypt"/>
<!-- Use this action spec for WCF clients
<entry key="action" value="Signature Encrypt Timestamp"/>
-->
<entry key="signaturePropFile"
value="de/narz/apacheCXFTest/helloWorld/keyManagement/config/alice.properties"/>
<entry key="decryptionPropFile"
value="de/narz/apacheCXFTest/helloWorld/keyManagement/config/bob.properties"/>
<entry key="passwordCallbackClass"
value="de.narz.apacheCXFTest.helloWorld.passwordHandling.PasswordCallbackHandler"/>
</map>
</constructor-arg>
</bean>
<!--
WSS4JOutInterceptor for encoding and signing the SOAP response.
There are some attacks that exploit the "cbc" mode of a Symmetric Encryption Algorithm. WSS4J has support for
"gcm" mode algorithms as well. This can be specified via WSHandlerConstants.ENC_SYM_ALGO
("encryptionSymAlgorithm"), for example to "http://www.w3.org/2009/xmlenc11#aes128-gcm".
-->
<bean id="TimestampSignEncrypt_Response" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="bob"/>
<entry key="signaturePropFile"
value="de/narz/apacheCXFTest/helloWorld/keyManagement/config/bob.properties"/>
<entry key="encryptionPropFile"
value="de/narz/apacheCXFTest/helloWorld/keyManagement/config/alice.properties"/>
<entry key="signatureKeyIdentifier" value="DirectReference"/>
<entry key="encryptionUser" value="Alice"/>
<entry key="passwordCallbackClass"
value="de.narz.apacheCXFTest.helloWorld.passwordHandling.PasswordCallbackHandler"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</map>
</constructor-arg>
</bean>
what can I do to force the service to determine the client alice by itself? Like this my alice-client is the only one that is able to communicate with the server. I want to store several client-keys in my keystore and the service shall determine all by itself which key to use.
would be great if someone can help me. thx
Instead of specifying an "encryptionUser" of "Alice" in your service, you can instead specify an "encryptionUser" of "useReqSigCert". This is a special value that tells CXF/WSS4J to use the client signing certificate for encryption.
Colm.