|
Replies:
11
-
Last Post:
Mar 13, 2008 3:08 AM
by: dloiacono
|
|
|
|
|
|
|
Configure keystore at runtime
Posted:
Mar 6, 2008 3:11 AM
|
|
|
Hi all,
I'm working on Java client application that invoke Web Services with Metro 1.1 Stack.
The user logon in the application with a x509 certificate and request a service.
That certificate must be used to proof user identity on server side.
How can I configure the keystore and the alias for client certificate in a dynamic manner avoiding to set this information into wsit file configuration?
<sc:KeyStore wspp:visibility="private" alias="SOME_ALIAS" keypass="PW" storepass="PW" type="PKCS12" location="SOME_LOCATION\keystore.p12"/>
<sc:TrustStore wspp:visibility="private" peeralias="SOME_ALIAS" storepass="PW" type="PKCS12" location="SOME_LOCATION\truststore.p12"/>
|
|
|
|
|
|
|
Re: Configure keystore at runtime
Posted:
Mar 6, 2008 3:42 AM
in response to: dloiacono
|
|
|
The Alias can be selected dynamically using an aliasSelector instead of an alias. Please see the following article : https://xwss.dev.java.net/articles/security_config.html
<sc:Keystore
location={absolute path to keystore file}
type={type of the keystore (default is JKS)}?
storepass={the password of the keystore as a string, OR a fully qualified classname of a
class implementing javax.security.auth.callback.CallbackHandler and that handles
the javax.security.auth.callback.PasswordCallback}
aliasSelector={the fully qualified classname of a class implementing
com.sun.xml.wss.AliasSelector interface}?
/>
For The keystore location :
When using WSIT on GlassFish (the DefaultCallbackHandler on GlassFish is used and it is based on the JSR 196 model), the need to specify the Keystore Location and Keystore Password and Keystore Type is eliminated. The Only thing one ever needs to specify in case of GlassFish is the alias information. So you can use the default JSR 196 CallbackHandler which knows where the keystore and truststore are located or else you can specify your own JSR 196 based CBH.
So are you running on GlassFish or some other container ?.
If you are running on some other container then the only way for you is to supply your own CallbackHandler : https://xwss.dev.java.net/articles/security_config.html#Can_I_Specify_My_Own_Overiding
Override the WSIT DefaultCallbackHandler which is used for Non-GlassFish Containers.
On the Client Side :
<sc:CallbackHandlerConfiguration xmlns:sc="http://schemas.sun.com/2006/03/wss/client" >
<sc:CallbackHandler name="xwssCallbackHandler" classname="fully qualified classname" />
</sc:CallbackHandlerConfiguration>
Writing an xwssCallbackHandler can be cumbersome so you would need to either look at the DefaultCallbackHandler.java in WSIT or just start with a skeleton impl and then experiment what all Callbacks are being made by the runtime for your Application and then handle those in your xwssCallbackHandler.
|
|
|
|
|
|
|
|
|
Re: Configure keystore at runtime
Posted:
Mar 6, 2008 4:13 AM
in response to: kumarjayanti
|
|
|
I'm working on a standalone Java client with Metro 1.1 libraries in bundle that invokes some .Net web services. I'm not using an app server container.
So the solution is to write a custom xwssCallbackHandler to select the correct x509 certificate at runtime.
<sc:CallbackHandlerConfiguration xmlns:sc="http://schemas.sun.com/2006/03/wss/client" >
<sc:CallbackHandler name="CertificateCallbackHandler" classname="my.package.CertificateCallbackHandler" />
</sc:CallbackHandlerConfiguration>
It's right?
|
|
|
|
|
|
|
|
|
Re: Configure keystore at runtime
Posted:
Mar 6, 2008 4:36 AM
in response to: dloiacono
|
|
|
No this is not correct, the only supported callbackHandler types are mentioned in the article. and CertificateCallbackHandler is not something that we support.
But you can first try the aliasSelector approach to select the alias dynamically, keeping the location constant.
Or try and follow the suggestion by ernesto (below)
|
|
|
|
|
|
|
|
|
Re: Configure keystore at runtime
Posted:
Mar 6, 2008 4:42 AM
in response to: kumarjayanti
|
|
|
although we plan to uniformly support JSR 196 based callbacks for all Containers in near future,
your usage of a CertificateCallbackhandler is probably what we can add in the interim period to avoid the difficulty of you having to completely override the default WSIT CBH.
|
|
|
|
|
|
|
|
|
Re: Configure keystore at runtime
Posted:
Mar 6, 2008 5:32 AM
in response to: kumarjayanti
|
|
|
It can be a solution to my scenario configure a CertSore on client side and write some java class ?
https://xwss.dev.java.net/articles/security_config.html#CertStore_Configuration_in_WSIT
<sc:CertStore
callbackHandler="{fully qualified ClassName of a class that implements
javax.security.auth.callback.CallbackHandler interface and handles
the com.sun.xml.wss.impl.callback.CertStoreCallback}"
certSelector="{fully qualified ClassName of a class that implements
the java.security.cert.CertSelector interface}"
/>
|
|
|
|
|
|
|
|
|
Re: Configure keystore at runtime
Posted:
Mar 6, 2008 7:04 AM
in response to: dloiacono
|
 |
Helpful |
|
|
The certstore is not a replacement for Keystore. It is only used to locate other party certificates. To locate the key-pair (privatekey, cert) of the client you would still need to use a keystore.
|
|
|
|
|
|
|
|
|
Re: Configure keystore at runtime
Posted:
Mar 13, 2008 3:08 AM
in response to: kumarjayanti
|
|
|
Thanks, it's a good news.
|
|
|
|
|
|
|
|
|
Re: Configure keystore at runtime
Posted:
Mar 6, 2008 3:58 AM
in response to: dloiacono
|
|
|
I created my own xwssCallbackHandler in a very easy way. I used an instance of DefaultCallbackHandler (passing to it my own properties during instantiation), and I delegated to it all calls.
In this form, I can configure all KeyStore configuration programatically. If anyone interested I can paste the code.
Regards.
|
|
|
|
|
|
|
|
|
Re: Configure keystore at runtime
Posted:
Mar 6, 2008 8:58 AM
in response to: ernestojpg
|
|
|
Can you post your code please?
|
|
|
|
|
|
|
|
|
Re: Configure keystore at runtime
Posted:
Mar 6, 2008 3:24 PM
in response to: dloiacono
|
 |
Correct |
|
|
|
|
Hi!
To define your own WSIT xwssCallbackHandler in an easy way you only need to copy the 'XWSSCallbackHandler.java' file (attached) to your proyect folder, and to change your WSIT config file in this form:
<sc:CallbackHandlerConfiguration xmlns:sc="http://schemas.sun.com/2006/03/wss/client" >
<sc:CallbackHandler name="xwssCallbackHandler" classname="handlers.XWSSCallbackHandler" />
</sc:CallbackHandlerConfiguration>
Where 'handlers.XWSSCallbackHandler' is the fully qualified classname of our XWSSCallbackHandler class.
In this form all the Callbacks and Validations are managed in our XWSSCallbackHandler class, and we could manage the callbacks we want. In addition, we can set the WSIT config properties in a programmatic way.
Regards.
|
|
|
|
|
java.net RSS
