Reputation: 3014
Apache CXF - configure WSS4J to extract server's x.509 certificate from SOAP header
I'm communicating with the server which inserts its X.509 certificate as Binary Security Token in SOAP response header. How can I configure my WSS4JInInterceptor accordingly?
Here is my code which expects the certificate to be in a JKS keystone
// for incoming messages: Signature and Timestamp validation. Response is Encrypted
inProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.ENCRYPT);
inProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
inProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientKeystorePasswordCallbackHandler.class.getName());
inProps.put(WSHandlerConstants.SIG_PROP_FILE, "server_sec.properties");
inProps.put(WSHandlerConstants.DEC_PROP_FILE, "client_sec.properties");
wss4JInInterceptor = new WSS4JInInterceptor(inProps);
server_sec.properties:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=changeit
org.apache.ws.security.crypto.merlin.keystore.alias=ver2
org.apache.ws.security.crypto.merlin.file=certs/kontaktinfo-server-test.jks
How can I reconfigure it to extract the certificate from Binary Security Token instead?
Upvotes: 1
Views: 1042
Answers (1)
Reputation: 1900
If the response references a certificate in the security header, then WSS4J will handle it without any configuration changes required. However, you still need to configure at least a trust-store, to verify trust in the certificate. So your "signing" keystore configuration must at least have the issuing cert of the cert used to verify the signature.
Upvotes: 1