7 Replies Latest reply on Feb 25, 2008 12:41 PM by Martin Rostan

    Retrieving alias for WS Secure client

    Karl Larsson Newbie


      I am using X509 certificates to authenticate WebService clients for JBoss 4.0.5 and JBossWS 1.2.1 (JAX-WS).

      Everything works fine, however, in my web service code, I would like to know the alias for the public key entry in the keystore for the calling client.

      One way would be to parse the SOAP-document, obtain the element containing the security info, and manually look it up in the keystore.

      However, I wonder if there is a standardized way, (Jboss-specific is no problem) of obtaining the alias from the keystore given the SOAP message, or at least a way of obtaing the certificate from the SOAP-message without manually digging into SOAP-details.


        • 1. Re: Retrieving alias for WS Secure client
          Sven Bunge Newbie

          keytool -list -keystore

          this shows you all aliases in the keystore

          • 2. Re: Retrieving alias for WS Secure client
            Sven Bunge Newbie

            shit i cant edit - after -keystore must the file of the keystore :-)

            keytool -list -keystore wsse.keystore

            keytool is a program from sun shipped with the JRE and JDK.

            • 3. Re: Retrieving alias for WS Secure client
              Karl Larsson Newbie

              Thanks, but using keytool is not what I am looking for. My question is if I from inside the web service method am able to extract the alias corresponding to the client's certificate. This imposes two steps

              1. How do I extract the clients certificate from inside the web service method. One way would be to locate the wsse:BinarySecurityToken xml-tag in the SOAP message, extract the Base64-encoded certificate and then create an X509Certificate object from it, but that is not very elegant.

              2. Lookup the alias in the keystore. To do that I could use KeyStore.getAliasForCertificate() provided 1. is solved.

              I am looking for something similair to WebServiceContext.getClientCertificate()...

              Anybody has a suggestion?


              • 4. Re: Retrieving alias for WS Secure client
                Thomas Diesler Master

                This is currently not supported. You are however welcome to contribute this extension

                • 5. Re: Retrieving alias for WS Secure client
                  Artur Lipski Newbie

                  I'm having very identical problem. I would like to authenticate the connecion with webservice using x509 certificate. Many clients will connect to webservice. Every client will have their own certificate. Webservice should recognize with client is connecting to him after getting the name from certificate.
                  And here I have two problems. First problem is that I really don't know whether I configure the authentication to webservice in a good way.
                  And the second problem is that I don't know how to get then certificate from MessageContext.
                  I found such example:
                  WebServiceContext ctx;


                  MessageContext msg = ctx.getMessageContext();
                  HttpServletRequest req = (HttpServletRequest) msg.get(MessageContext.SERVLET_REQUEST);
                  X509Certificate[] certificates = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
                  if (certificates != null) {
                  X509Certificate cert = certificates[0];
                  Principal clientDN = cert.getSubjectDN();
                  String name = clientDN.getName()

                  And every time certificates is null.

                  Could anybody help me??
                  Maybe you know any tutorial where is shown how to configure the webservice to make a authentication via certificate because I don't have any idea what to do :(

                  • 7. Re: Retrieving alias for WS Secure client
                    Martin Rostan Newbie

                    Hi all
                    We have modified JBossWS 2.0.1 to leave an array of the certificates used in the signature/encryption process available in the message context:

                    Certificate[] certificates = msgContext.get("MESSAGE_CERTIFICATES");

                    There's not an automatic validation against JAAS implemented (as described in JBWS-652) we simply make the participating certificates available.

                    If somebody is still interested we can try to apply the patch to the current trunk and upload it.