0 Replies Latest reply on Mar 2, 2011 12:55 PM by mauro.brasil

    JBossWS token references limitations...

    mauro.brasil

      Hello there!

       

      I'm trying to improve security on a application suite we have here by adding ws-security encryption. We were using just ws-security's Username Token for authentication, but now we need to encrypt message's content because some sensitive information will be added to it.

       

      We use JBossWS (version "3.1.1.GA") running on "JBoss-4.2.3.GA" at server side and axis2c/rampartc (versions 1.6.0/1.3.0 respectively) on clients side.

       

      Find a security token reference that is supported/implemented by both sides wasn't so easy as I expected

       

      First try was with "RequireThumbprintReference" that's is axis2c/rampartc most used option on samples. It results on "Currently only SubjectKeyIdentifiers are supported" message on server that I've already tracked to two discutions of this site "http://community.jboss.org/message/534939#534939" and "http://community.jboss.org/message/340764#340764" with no solution.

       

      I've tried "RequireKeyIdentifierReference" that won't work because my certs don't have Key Identifiers, what seems to be normal on cert that were not selt created/signed using keytool.

       

      I'.ve tried "RequireEmbeddedTokenReference" which seems to be unknow to server that shows "Unkown reference element: Embedded".

       

      And I've tried "RequireIssuerSerialReference" that resulted on message "Could not locate certificate by issuer and serial number" from server also present on a discution of this site.

       

      I'm feeling that this could be problems regarding the relative old version of JBoss/JBossWS I'm using right now.

       

      So... my question is: is there a JBoss/JBossWS known combination that works with "RequireIssuerSerialReference" or that accepts "RequireThumbprintReference"?

       

      Thanks a lot and best regards,

      Mauro.