Announcement Announcement Module
Collapse
No announcement yet.
KeyStoreCallbackHandler and AcegiCertificateValidationCallbackHandler Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • KeyStoreCallbackHandler and AcegiCertificateValidationCallbackHandler

    Hello,

    i could want to validate request and sign response with the XwsSecurityInterceptor. I was reading the IntegrationTest of the unit test of xwss and the interceptor has 2 callbacks:
    KeyStoreCallbackHandler and AcegiCertificateValidationCallbackHandler

    i don't know if i understand well, but:
    if i configure KeyStoreCallbackHandler with a keystore and a trustsore, verify the interceptor the request with this truststore and sign the response with the keystore???

    for what add AcegiCertificateValidationCallbackHandler to the interceptor??? this only validate the request again, no???

    thanks for any help, or link to tutorial of xwss,
    CÚsar.

  • #2
    Originally posted by cesar
    i could want to validate request and sign response with the XwsSecurityInterceptor. I was reading the IntegrationTest of the unit test of xwss and the interceptor has 2 callbacks:
    KeyStoreCallbackHandler and AcegiCertificateValidationCallbackHandler

    i don't know if i understand well, but:
    if i configure KeyStoreCallbackHandler with a keystore and a trustsore, verify the interceptor the request with this truststore and sign the response with the keystore???

    for what add AcegiCertificateValidationCallbackHandler to the interceptor??? this only validate the request again, no???

    thanks for any help, or link to tutorial of xwss,
    To answer your first question first, there is a tutorial of XWSS here. I will also add a section to the reference documentation about security shortly, hopefully next week. Hopefully that will make things clearer.

    If I understand you correctly, you want to validate and sign using a certificate. That certificate has to be obtained from somewhere: a keystore.
    The keystore checks whether the certificate used is in the configured trusted store, whether it has not been revoked, and whether it is still valid.

    After the certificate has been checked for validity, you might want to authenticate against it. That's what the AcegiCertificateValidationCallbackHandler is for. So if you don't want to authenticate, you don't need it.

    Hope that clears up stuff a bit,

    Cheers from a lovely SpringOne conference,

    Comment


    • #3
      hello Arjen,

      i have a web service, and the request is signed (with a private key), the XwsSecurityInterceptor have to validate the sign in validateRequest(SoapMessageContext soapMessageContext). The web service create the response and XwsSecurityInterceptor sign the response in secureResponse(SoapMessageContext soapMessageContext).

      the XwsSecurityInterceptor has a XWSSProcessor that have been configured with CallbackHandlers

      i would think that KeyStoreCallbackHandler validate the sign and authenticate the certificate with the truststore.
      and sign the response with the keystore (alias of a private key).

      doesn't KeyStoreCallbackHandler do this??? verify the signature of the request with the certificate and look if this is in truststore? and sign the response with the keysore?

      if the certificate has not in truststore, not authenticate the request, no???
      maybe i don't understand wath KeyStoreCallbackHandler works...
      if it works so, why AcegiCertificateValidationCallbackHandler???

      thanks in advance,
      CÚsar.

      Comment


      • #4
        Originally posted by cesar
        i have a web service, and the request is signed (with a private key), the XwsSecurityInterceptor have to validate the sign in validateRequest(SoapMessageContext soapMessageContext). The web service create the response and XwsSecurityInterceptor sign the response in secureResponse(SoapMessageContext soapMessageContext).

        the XwsSecurityInterceptor has a XWSSProcessor that have been configured with CallbackHandlers

        i would think that KeyStoreCallbackHandler validate the sign and authenticate the certificate with the truststore.
        and sign the response with the keystore (alias of a private key).

        doesn't KeyStoreCallbackHandler do this??? verify the signature of the request with the certificate and look if this is in truststore? and sign the response with the keysore?
        You are correct, it does. If you have configured that in the security policy file, that is.

        Originally posted by cesar
        if the certificate has not in truststore, not authenticate the request, no???
        maybe i don't understand wath KeyStoreCallbackHandler works...
        if it works so, why AcegiCertificateValidationCallbackHandler???
        The KeyStoreCallbackHandler validates the certificate, but the AcegiCertificateValidationCallbackHandler authenticates against the certificate, i.e. it determines the user principal associated with the certificate, and sets any roles that principal has. Both handlers will be checked in turn, so that if the key store says that the certificate is invalid, the acegi handler will not be be called.

        You only need the Acegi handler if you have the concept of a user in your application (like the FrequentFlyer in the sample), and you want to make sure that certain business logic methods can only be executed by users with a specific role (see the ROLE_FREQUENT_FLYER in the applicationContext-security.xml in the sample).

        Hopes this clears things up a bit. It is pretty tricky stuff, but then again: WS-Security is pretty tricky itself.

        Cheers,

        Comment

        Working...
        X