0 Replies Latest reply on Mar 2, 2011 12:55 PM by mauro.brasil

    JBossWS token references limitations...

    mauro.brasil Newbie

      Hello there!


      I'm trying to improve security on a application suite we have here by adding ws-security encryption. We were using just ws-security's Username Token for authentication, but now we need to encrypt message's content because some sensitive information will be added to it.


      We use JBossWS (version "3.1.1.GA") running on "JBoss-4.2.3.GA" at server side and axis2c/rampartc (versions 1.6.0/1.3.0 respectively) on clients side.


      Find a security token reference that is supported/implemented by both sides wasn't so easy as I expected


      First try was with "RequireThumbprintReference" that's is axis2c/rampartc most used option on samples. It results on "Currently only SubjectKeyIdentifiers are supported" message on server that I've already tracked to two discutions of this site "http://community.jboss.org/message/534939#534939" and "http://community.jboss.org/message/340764#340764" with no solution.


      I've tried "RequireKeyIdentifierReference" that won't work because my certs don't have Key Identifiers, what seems to be normal on cert that were not selt created/signed using keytool.


      I'.ve tried "RequireEmbeddedTokenReference" which seems to be unknow to server that shows "Unkown reference element: Embedded".


      And I've tried "RequireIssuerSerialReference" that resulted on message "Could not locate certificate by issuer and serial number" from server also present on a discution of this site.


      I'm feeling that this could be problems regarding the relative old version of JBoss/JBossWS I'm using right now.


      So... my question is: is there a JBoss/JBossWS known combination that works with "RequireIssuerSerialReference" or that accepts "RequireThumbprintReference"?


      Thanks a lot and best regards,