3 Replies Latest reply on Mar 28, 2007 3:48 PM by Jason Greene

    Getting access to X509Certificate

    Ron Gray Newbie

      My configuration:
      JDK 1.5
      JBoss AS 4.0.5
      JBossWS 1.2.0
      WS-Security

      The configuration of my web service requires an incoming SOAP message to be digitally signed (using Message Level Security; not BASIC authentication over SSL), and this works fine. However, I have an audit requirement to log the credentials of the client trying to access the service, whether successful or not. In the past (using JWSDP and JSR-109 style web services), I've used security callback functions to meet these sort of requirements.

      Is there a way to interact with WS-Security during authentication and authorization and obtain the X509Certificate, Subject, Principal, etc. to log security related events? I've experimented with the WebServiceContext.getUserPrincipal(), but it seems that this is only useful for BASIC authentication, which I'm not using.

      thanks.

        • 1. Re: Getting access to X509Certificate
          Rafael Martony Newbie

          I have the solve the same problem.
          My configuration:

          JDK 1.5
          JBoss AS 4.0.5
          JBossWS 1.0.4
          WS-Security

          Any ideas on how to interact with WS-Security with JSR 181-POJO Endpoint to obtain X509Certificate, Subject, Principal, etc.?

          grey727, maybe the JWSDP and JSR-109 approach may help me...

          Regards,
          Rafael.

          "gray727" wrote:
          My configuration:
          JDK 1.5
          JBoss AS 4.0.5
          JBossWS 1.2.0
          WS-Security

          The configuration of my web service requires an incoming SOAP message to be digitally signed (using Message Level Security; not BASIC authentication over SSL), and this works fine. However, I have an audit requirement to log the credentials of the client trying to access the service, whether successful or not. In the past (using JWSDP and JSR-109 style web services), I've used security callback functions to meet these sort of requirements.

          Is there a way to interact with WS-Security during authentication and authorization and obtain the X509Certificate, Subject, Principal, etc. to log security related events? I've experimented with the WebServiceContext.getUserPrincipal(), but it seems that this is only useful for BASIC authentication, which I'm not using.

          thanks.



          • 2. Re: Getting access to X509Certificate
            Rafael Martony Newbie

            Sorry, I'm using JSR-109 style web services with WS-Security and NOT JSR 181-POJO endpoint services as I mentioned earlier...

            Regards,
            Rafael.

            • 3. Re: Getting access to X509Certificate
              Jason Greene Master

              Currently WS-Security only supports keystore authentication, it does not yet fully integrate with JAAS for cert auth. This is however on the roadmap.

              http://jira.jboss.com/jira/browse/JBWS-652

              -Jason