7 Replies Latest reply on Feb 25, 2008 12:41 PM by mrostan

    Retrieving alias for WS Secure client

    nightcap
    nightcap Jun 7, 2007 7:49 AM

      Hi,

      I am using X509 certificates to authenticate WebService clients for JBoss 4.0.5 and JBossWS 1.2.1 (JAX-WS).

      Everything works fine, however, in my web service code, I would like to know the alias for the public key entry in the keystore for the calling client.

      One way would be to parse the SOAP-document, obtain the element containing the security info, and manually look it up in the keystore.

      However, I wonder if there is a standardized way, (Jboss-specific is no problem) of obtaining the alias from the keystore given the SOAP message, or at least a way of obtaing the certificate from the SOAP-message without manually digging into SOAP-details.

      Thanks

      • 11965 Views
      • Tags:
        • 1. Re: Retrieving alias for WS Secure client
          bigdaddy66 Jun 7, 2007 9:12 AM (in response to nightcap)

          keytool -list -keystore

          this shows you all aliases in the keystore

            • Actions
          • 2. Re: Retrieving alias for WS Secure client
            bigdaddy66 Jun 7, 2007 9:13 AM (in response to nightcap)

            shit i cant edit - after -keystore must the file of the keystore :-)

            keytool -list -keystore wsse.keystore

            keytool is a program from sun shipped with the JRE and JDK.

              • Actions
            • 3. Re: Retrieving alias for WS Secure client
              nightcap
              nightcap Jun 7, 2007 9:28 AM (in response to nightcap)

              Thanks, but using keytool is not what I am looking for. My question is if I from inside the web service method am able to extract the alias corresponding to the client's certificate. This imposes two steps

              1. How do I extract the clients certificate from inside the web service method. One way would be to locate the wsse:BinarySecurityToken xml-tag in the SOAP message, extract the Base64-encoded certificate and then create an X509Certificate object from it, but that is not very elegant.

              2. Lookup the alias in the keystore. To do that I could use KeyStore.getAliasForCertificate() provided 1. is solved.

              I am looking for something similair to WebServiceContext.getClientCertificate()...

              Anybody has a suggestion?

              Thanks

                • Actions
              • 4. Re: Retrieving alias for WS Secure client
                thomas.diesler
                thomas.diesler Jun 18, 2007 4:34 PM (in response to nightcap)

                This is currently not supported. You are however welcome to contribute this extension

                  • Actions
                • 5. Re: Retrieving alias for WS Secure client
                  kaprys
                  kaprys Nov 4, 2007 3:56 PM (in response to nightcap)

                  Hi,
                  I'm having very identical problem. I would like to authenticate the connecion with webservice using x509 certificate. Many clients will connect to webservice. Every client will have their own certificate. Webservice should recognize with client is connecting to him after getting the name from certificate.
                  And here I have two problems. First problem is that I really don't know whether I configure the authentication to webservice in a good way.
                  And the second problem is that I don't know how to get then certificate from MessageContext.
                  I found such example:
                  @Resource
                  WebServiceContext ctx;

                  ...

                  MessageContext msg = ctx.getMessageContext();
                  HttpServletRequest req = (HttpServletRequest) msg.get(MessageContext.SERVLET_REQUEST);
                  X509Certificate[] certificates = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
                  if (certificates != null) {
                  X509Certificate cert = certificates[0];
                  Principal clientDN = cert.getSubjectDN();
                  String name = clientDN.getName()
                  }

                  And every time certificates is null.

                  Could anybody help me??
                  Maybe you know any tutorial where is shown how to configure the webservice to make a authentication via certificate because I don't have any idea what to do :(

                    • Actions
                  • 6. Re: Retrieving alias for WS Secure client
                    asoldano
                    asoldano Nov 16, 2007 10:42 AM (in response to nightcap)

                    This is related to http://jira.jboss.org/jira/browse/JBWS-652

                      • Actions
                    • 7. Re: Retrieving alias for WS Secure client
                      mrostan
                      mrostan Feb 25, 2008 12:41 PM (in response to nightcap)

                      Hi all
                      We have modified JBossWS 2.0.1 to leave an array of the certificates used in the signature/encryption process available in the message context:

                      Certificate[] certificates = msgContext.get("MESSAGE_CERTIFICATES");


                      There's not an automatic validation against JAAS implemented (as described in JBWS-652) we simply make the participating certificates available.

                      If somebody is still interested we can try to apply the patch to the current trunk and upload it.

                      Regards,
                      Martin

                        • Actions