CXF with Digital Signatures

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

CXF with Digital Signatures

jaybytez
I am trying to utilize the CXF Framework to create a Digital Signature on the client.

I am using the JaxWsProxyFactoryBean and trying to configure through the Spring context file the wiring for the WSS4JOutInterceptor.  It's hard to find a clear example, so I have piece together articles to resolve this and it brings me to a ClassNotFoundException: org.apache.security.juice.provider.JuiCEProviderOpenSSL (which appears to be dormat since 2007).

Here is my pom
                <dependency>
                        <groupId>org.apache.cxf</groupId>
                        <artifactId>cxf-rt-ws-security</artifactId>
                        <version>${cxf.version}</version>
                        <exclusions>
                                <exclusion>
                                        <groupId>org.apache.geronimo.specs</groupId>
                                        <artifactId>geronimo-stax-api_1.0_spec</artifactId>
                                </exclusion>
                        </exclusions>
                </dependency>
                <dependency>
                        <groupId>org.apache.ws.security</groupId>
                        <artifactId>wss4j</artifactId>
                        <version>1.5.8</version>
                </dependency>
                <dependency>
                        <groupId>org.springframework</groupId>
                        <artifactId>spring-aop</artifactId>
                        <version>3.0.5.RELEASE</version>
                </dependency>

Here is a sample of what I am trying to do:

        <ref bean="saajOutInterceptor"/>
            <ref bean="wss4jOutInterceptor"/>

    <bean id="fooServiceProxyFactory" class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean" lazy-init="true">
            <property name="serviceClass" value="com.foo.service.FooBusinessService"/>
       <property name="address" value="https://localhost:8150/foo-war/FooBusinessService"/>
       <property name="inInterceptors" ref="logInbound"/>
       <property name="outInterceptors">
          <list>
             <ref bean="logOutbound"/>
           <ref bean="saajOutInterceptor"/>
           <ref bean="wss4jOutInterceptor"/>
        </list>
       </property>
  </bean>

  <bean id="logInbound" class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
    <bean id="logOutbound" class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
        <bean id="saajOutInterceptor" class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor"/>
    <bean id="wss4jOutInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
          <constructor-arg>
            <map>
               <entry key="action" value="Signature"/>
               <entry key="user" value="user"/>
               <entry key="password" value="password"/>
               <entry key="signaturePropFile" value="wss4j.properties"/>
            </map>
         </constructor-arg>
      </bean>
Any suggestions as to what is wrong here?  And why is there a request to use JuiCEProviderOpenSSL?

Thanks for your help,

Jay
Reply | Threaded
Open this post in threaded view
|

Re: CXF with Digital Signatures

coheigea
Administrator
The ClassNotFoundException for JuiCE is not an error. If WSS4J can't
load it, it logs the exception you're seeing, and then it proceeds as
normal.

Colm.

On Thu, Mar 3, 2011 at 9:56 PM, jaybytez <[hidden email]> wrote:

> I am trying to utilize the CXF Framework to create a Digital Signature on the
> client.
>
> I am using the JaxWsProxyFactoryBean and trying to configure through the
> Spring context file the wiring for the WSS4JOutInterceptor.  It's hard to
> find a clear example, so I have piece together articles to resolve this and
> it brings me to a ClassNotFoundException:
> org.apache.security.juice.provider.JuiCEProviderOpenSSL (which appears to be
> dormat since 2007).
>
> Here is my pom
>
>                        org.apache.cxf
>                        cxf-rt-ws-security
>                        ${cxf.version}
>
>
>                                        org.apache.geronimo.specs
>                                        geronimo-stax-api_1.0_spec
>
>
>
>
>                        org.apache.ws.security
>                        wss4j
>                        1.5.8
>
>
>                        org.springframework
>                        spring-aop
>                        3.0.5.RELEASE
>
>
> Here is a sample of what I am trying to do:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Any suggestions as to what is wrong here?  And why is there a request to use
> JuiCEProviderOpenSSL?
>
> Thanks for your help,
>
> Jay
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-with-Digital-Signatures-tp3408690p3408690.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: CXF with Digital Signatures

Juan Pablo Pizarro
jaybytez, all examples you need are in the cxf samples folder. If you need
other, i can send you some code, but i'm sure the all you need are there.

{USER_HOME}/apache-cxf-2.3.3/samples/ws_security

Regards.

JP


2011/3/4 Colm O hEigeartaigh <[hidden email]>

> The ClassNotFoundException for JuiCE is not an error. If WSS4J can't
> load it, it logs the exception you're seeing, and then it proceeds as
> normal.
>
> Colm.
>
> On Thu, Mar 3, 2011 at 9:56 PM, jaybytez <[hidden email]> wrote:
> > I am trying to utilize the CXF Framework to create a Digital Signature on
> the
> > client.
> >
> > I am using the JaxWsProxyFactoryBean and trying to configure through the
> > Spring context file the wiring for the WSS4JOutInterceptor.  It's hard to
> > find a clear example, so I have piece together articles to resolve this
> and
> > it brings me to a ClassNotFoundException:
> > org.apache.security.juice.provider.JuiCEProviderOpenSSL (which appears to
> be
> > dormat since 2007).
> >
> > Here is my pom
> >
> >                        org.apache.cxf
> >                        cxf-rt-ws-security
> >                        ${cxf.version}
> >
> >
> >                                        org.apache.geronimo.specs
> >                                        geronimo-stax-api_1.0_spec
> >
> >
> >
> >
> >                        org.apache.ws.security
> >                        wss4j
> >                        1.5.8
> >
> >
> >                        org.springframework
> >                        spring-aop
> >                        3.0.5.RELEASE
> >
> >
> > Here is a sample of what I am trying to do:
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Any suggestions as to what is wrong here?  And why is there a request to
> use
> > JuiCEProviderOpenSSL?
> >
> > Thanks for your help,
> >
> > Jay
> >
> > --
> > View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-with-Digital-Signatures-tp3408690p3408690.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: CXF with Digital Signatures

jaybytez
Thanks..I figured out via some cross referencing between CXF blogs and the WSS4J docs and some of my old Spring Web Service Framework code.

Where I am stuck now is that I am actually using a keystore for sending the request over SSL.

I have a war that has the wss4j properties at the root along with the identity key store and the trust manager keystore, however...the http:conduit throws a FileNotFoundException saying it cannot find the trust manager keystore.

Can I use the Spring classpath* wildcarding in the file attribute:


    <http:conduit name="*.http-conduit">
       <http:tlsClientParameters secureSocketProtocol="SSL">
                        <sec:trustManagers>
                  <sec:keyStore type="JKS" password="password"
                       file="TM-Trust.jks"/>
              </sec:trustManagers>
       </http:tlsClientParameters>
   </http:conduit>

Thanks...jay
Reply | Threaded
Open this post in threaded view
|

Re: CXF with Digital Signatures

jaybytez
Okay...looks like it should be resource for something in the classpath and not file.
Reply | Threaded
Open this post in threaded view
|

Re: CXF with Digital Signatures

jaybytez
In reply to this post by Juan Pablo Pizarro
I am trying to do the following and there seems to be no clear documentation on how to do a Digital Signature and what specific parameters need to be used.  Any thoughts would be huge:

    <bean id="wss4jOutInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
          <constructor-arg>
            <map>
               <entry key="action" value="Signature"/>
               <entry key="user" value="aliasName/>
               <entry key="signaturePropFile" value="wss4j.properties"/>
               <entry key="signatureKeyIdentifier" value="X509KeyIdentifier"/>
                                <entry key="passwordCallbackRef">
                                        <bean class="PasswordCallbackHandler">
                                                <property name="password" value="password"/>
                                        </bean>
                </entry>
            </map>
         </constructor-arg>
      </bean>

Thanks for your time...
Reply | Threaded
Open this post in threaded view
|

Re: CXF with Digital Signatures

jaybytez
This is absolutely a critical path for me...I would appreciate anyone who has experience.

We are trying to do X.509 Signature on the message and use SSL.

I just don't understand what the WSS4J is doing under the covers.  

For instance, user should not be required because I am doing Signature and not "Username Token" so why do I need this.  There is no equivalent in a Signature/JKS to the user.

Is the user supposed to equate to the owner or issuer?

Also, if I want to do X.509...is the signatureKeyIdentifier supposed to be X509KeyIdentifier?

Thanks for your time....jay
Reply | Threaded
Open this post in threaded view
|

Re: CXF with Digital Signatures

coheigea
Administrator
> For instance, user should not be required because I am doing Signature and
> not "Username Token" so why do I need this.  There is no equivalent in a
> Signature/JKS to the user.

The user corresponds to the alias of the key you're getting from the
KeyStore to sign the message.

> Also, if I want to do X.509...is the signatureKeyIdentifier supposed to be
> X509KeyIdentifier?

The "signatureKeyIdentifier" config option gives you more control
about how to reference the key needed to verify the signature. By
default the Issuer name and serial number of the certificate are used.
If you want to include the certificate itself, you can specify
"DirectReference" instead.

Colm.

On Sat, Mar 5, 2011 at 1:33 AM, jaybytez <[hidden email]> wrote:

> This is absolutely a critical path for me...I would appreciate anyone who has
> experience.
>
> We are trying to do X.509 Signature on the message and use SSL.
>
> I just don't understand what the WSS4J is doing under the covers.
>
> For instance, user should not be required because I am doing Signature and
> not "Username Token" so why do I need this.  There is no equivalent in a
> Signature/JKS to the user.
>
> Is the user supposed to equate to the owner or issuer?
>
> Also, if I want to do X.509...is the signatureKeyIdentifier supposed to be
> X509KeyIdentifier?
>
> Thanks for your time....jay
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-with-Digital-Signatures-tp3408690p3410361.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: CXF with Digital Signatures

jaybytez
Should I switch over to trying to do encryption via this jaxws:properties?

http://cxf.apache.org/docs/ws-securitypolicy.html

Also, if I provide this information and I need 2-way SSL...do I need to still
provide the keyManagers in the http conduit configuration?

Thanks..jay