can supportingToken X509Token come directly from conduit tlsClientParameters and not from proporties of client?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

can supportingToken X509Token come directly from conduit tlsClientParameters and not from proporties of client?

vlad.balan

Hello

can a supportingToken of typpe X509Token like this one





                <sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                    <wsp:Policy>
                         <sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                            <wsp:Policy>
                                <sp:WssUsernameToken11/>
                            </wsp:Policy>
                        </sp:UsernameToken>
                     <sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                <wsp:Policy>
                                    <sp:WssX509V3Token10/>
                                </wsp:Policy>
                            </sp:X509Token>            
                    </wsp:Policy>
                </sp:SupportingTokens>


come from conduit tlsClientParameters element (maybe by alsi specifying the
transportBinding/httpsToken policy in extra) and not have to use client
properties



<entry key="security.signature.properties"
value="security.signature.properties"/>
<entry key="security.encryption.properties"
value="security.encryption.properties"/>

(in this case, it comes from the alias in security.signature.properties)

Thanks.



--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
Reply | Threaded
Open this post in threaded view
|

Re: can supportingToken X509Token come directly from conduit tlsClientParameters and not from proporties of client?

coheigea
Administrator
No, the SupportingToken policies are message level policies and as such
need to be configured using the WS-Security properties.

Colm.

On Mon, Jan 22, 2018 at 3:06 PM, vlad.balan <[hidden email]> wrote:

>
> Hello
>
> can a supportingToken of typpe X509Token like this one
>
>
>
>
>
>                 <sp:SupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>                     <wsp:Policy>
>                          <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-
> securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>                             <wsp:Policy>
>                                 <sp:WssUsernameToken11/>
>                             </wsp:Policy>
>                         </sp:UsernameToken>
>                             <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-
> securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>                                 <wsp:Policy>
>                                     <sp:WssX509V3Token10/>
>                                 </wsp:Policy>
>                             </sp:X509Token>
>                     </wsp:Policy>
>                 </sp:SupportingTokens>
>
>
> come from conduit tlsClientParameters element (maybe by alsi specifying the
> transportBinding/httpsToken policy in extra) and not have to use client
> properties
>
>
>
> <entry key="security.signature.properties"
> value="security.signature.properties"/>
> <entry key="security.encryption.properties"
> value="security.encryption.properties"/>
>
> (in this case, it comes from the alias in security.signature.properties)
>
> Thanks.
>
>
>
> --
> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: can supportingToken X509Token come directly from conduit tlsClientParameters and not from proporties of client?

vlad.balan
Thanks a lot!

because from this post

http://cxf.547215.n5.nabble.com/x-509-security-token-tp5150380p5485643.html

i understood that by adding TransportBindging/HttpsToken, "Then you would
see the BST in the request"

And since, i guess, TransportBindging/HttpsToken comes from conduit
tlsClientParameters, i sait to myself that also the SupportingToken will
will come from there as it comes from TransportBindging/HttpsToken.





--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
Reply | Threaded
Open this post in threaded view
|

Re: can supportingToken X509Token come directly from conduit tlsClientParameters and not from proporties of client?

vlad.balan
Is there any way to make Authenitcation/Authorization with only certificate
from (TLS transport level) as the servlet container web.xml
<login-config>CLIENT-CERT</login-config> does?



--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
Reply | Threaded
Open this post in threaded view
|

Re: can supportingToken X509Token come directly from conduit tlsClientParameters and not from proporties of client?

coheigea
Administrator
I don't understand the question - could you expand a bit more on what you
want to do?

Colm.

On Mon, Jan 22, 2018 at 3:20 PM, vlad.balan <[hidden email]> wrote:

> Is there any way to make Authenitcation/Authorization with only certificate
> from (TLS transport level) as the servlet container web.xml
> <login-config>CLIENT-CERT</login-config> does?
>
>
>
> --
> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: can supportingToken X509Token come directly from conduit tlsClientParameters and not from proporties of client?

vlad.balan


1. I was trying to do authenticate + authorization with only the client
certificate from TLS.

(as the <login-config>CLIENT-CERT</login-config> does in web.xml for
servlets)

(tomcat for example takes the Distinguished name from certificate and does
autorization from a simple tomcat-users.xml file where it maps it to roles)


2. from this exact post here

http://cxf.547215.n5.nabble.com/x-509-security-token-tp5150380p5485643.html

i understood that by adding TransportBindging/HttpsToken + a supportingToken
of typpe X509Token , "Then you would
see the BST in the request" (and then use it but that is another question)

And since, as i guessed, TransportBindging/HttpsToken takes its certificate
from conduit
tlsClientParameters, i said to myself that also the SupportingToken will
will also come from tlsClientParameters, because in fact is the same from
TransportBindging/HttpsToken.

This was the understanding from the above link.

But as you explained in your response to my post,  it seems that a
supportingToken of typpe X509Token comes only from the " client
jaxws:properties "





In any case, what i try to do is point 1.

Thanks a lot.



--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
Reply | Threaded
Open this post in threaded view
|

Re: can supportingToken X509Token come directly from conduit tlsClientParameters and not from proporties of client?

coheigea
Administrator
On Mon, Jan 22, 2018 at 6:21 PM, vlad.balan <[hidden email]> wrote:

>
>
> 1. I was trying to do authenticate + authorization with only the client
> certificate from TLS.
>
> (as the <login-config>CLIENT-CERT</login-config> does in web.xml for
> servlets)
>
> (tomcat for example takes the Distinguished name from certificate and does
> autorization from a simple tomcat-users.xml file where it maps it to roles)
>

Why not just re-use Tomcat here? You can configure a CXF Jetty endpoint as
an alternative for authentication, e.g.:

http://cxf.apache.org/docs/jetty-configuration.html
http://cxf.apache.org/docs/tls-configuration.html


>
> 2. from this exact post here
>
> http://cxf.547215.n5.nabble.com/x-509-security-token-
> tp5150380p5485643.html
>
> i understood that by adding TransportBindging/HttpsToken + a
> supportingToken
> of typpe X509Token , "Then you would
> see the BST in the request" (and then use it but that is another question)
>

The BST refers to the X.509 SupportingToken Token which is obtained from
the WS-Security message properties.

Colm.


>
> And since, as i guessed, TransportBindging/HttpsToken takes its certificate
> from conduit
> tlsClientParameters, i said to myself that also the SupportingToken will
> will also come from tlsClientParameters, because in fact is the same from
> TransportBindging/HttpsToken.
>
> This was the understanding from the above link.
>
> But as you explained in your response to my post,  it seems that a
> supportingToken of typpe X509Token comes only from the " client
> jaxws:properties "
>
>
>
>
>
> In any case, what i try to do is point 1.
>
> Thanks a lot.
>
>
>
> --
> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: can supportingToken X509Token come directly from conduit tlsClientParameters and not from proporties of client?

vlad.balan
Thanks.

OK, so in CXF is not possible to extract the certificate from TLS transport
and use it for authentication+authorization. Is that right?

Thanks a lot.





--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
Reply | Threaded
Open this post in threaded view
|

Re: can supportingToken X509Token come directly from conduit tlsClientParameters and not from proporties of client?

coheigea
Administrator
You can obtain the certificate if you are using an application container
such as Tomcat or else the CXF Jetty server.

Colm.

On Tue, Jan 23, 2018 at 9:58 AM, vlad.balan <[hidden email]> wrote:

> Thanks.
>
> OK, so in CXF is not possible to extract the certificate from TLS transport
> and use it for authentication+authorization. Is that right?
>
> Thanks a lot.
>
>
>
>
>
> --
> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: can supportingToken X509Token come directly from conduit tlsClientParameters and not from proporties of client?

vlad.balan
In reply to this post by vlad.balan
With a Jetty endpoint, do you have any idea how can i provide him the
web.xml?

( So that i cand set the well-known
<login-config><auth-method>CLIENT-CERT</auth-method></login-config> in
web.xml)

I don't know if a Jetty endpoint is in a web app at all, in fact...

Or, if not through web.xml, then some other way of telling him the same
thing?



--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html