Apache CXF - 配置WSS4J以从SOAP标头中提取服务器的x.509证书

时间:2016-03-21 16:54:24

标签: java soap cxf ws-security

我正在与服务器通信,该服务器在SOAP响应头中插入其X.509证书作为二进制安全令牌。如何相应地配置WSS4JInInterceptor

这是我的代码,希望证书在JKS keystone中

// for incoming messages: Signature and Timestamp validation. Response is Encrypted
        inProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.ENCRYPT);
        inProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
        inProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientKeystorePasswordCallbackHandler.class.getName());
        inProps.put(WSHandlerConstants.SIG_PROP_FILE, "server_sec.properties");
        inProps.put(WSHandlerConstants.DEC_PROP_FILE, "client_sec.properties");

        wss4JInInterceptor = new WSS4JInInterceptor(inProps);

server_sec.properties:

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=changeit
org.apache.ws.security.crypto.merlin.keystore.alias=ver2
org.apache.ws.security.crypto.merlin.file=certs/kontaktinfo-server-test.jks

如何重新配置​​它以从二进制安全令牌中提取证书?

1 个答案:

答案 0 :(得分:1)

如果响应引用安全标头中的证书,则WSS4J将处理它而无需任何配置更改。但是,您仍需要至少配置信任存储,以验证证书中的信任。所以你的签约"密钥库配置必须至少具有用于验证签名的证书的颁发证书。