Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-426

Allow Wss4jSecurityInterceptor to accept arbitrary client certificate in validation phase

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Trivial
    • Resolution: Won't Fix
    • Affects Version/s: 1.5.4
    • Fix Version/s: 1.5.5
    • Component/s: Security
    • Labels:
      None
    • Environment:
      Wss4j 1.5.4

      Description

      Imagine a webservice which uses encrypted request and response message. Client can sign the message by its private key and attach its certificate which will be used on the server side to encrypt a response message. (This correspons to the Binary Security tokens or DirectReference option and can be achieved by setting "useReqSigCert" for securementEncryption user). However, Wss4j interceptor tries to validate the incoming client certificate against the Crypto specified in validationSignatureCrypto. Consequently, this requires a keystore which contains the client certificate, thus complicating client certificate management.

      Wss4j could introduce an option which would accept arbitrary client certificate on validation.

        Activity

        novotnyr Robert Novotny created issue -
        arjen.poutsma Arjen Poutsma made changes -
        Field Original Value New Value
        Fix Version/s 1.5.5 [ 11067 ]
        arjen.poutsma Arjen Poutsma made changes -
        Assignee Arjen Poutsma [ arjen.poutsma ] Tareq Abed Rabbo [ tareq ]
        Hide
        tareq Tareq Abedrabbo added a comment -

        The problem is that Wss4j seems to be overzealous in its processing of ws-security headers. I'm not aware of a simple way of instructing it to ignore certificates.
        However there seems to be a (rather complicated) workaround. You can write your own Wss4j signature processor. Then you can subclass Wss4jSecurityInetceptor, redefine the validateMessage method and pass your signature processor to the WSSecurityEngine instance (via an appropriate WSSConfig).
        I'd be glad to know if there's a simpler solution.

        Show
        tareq Tareq Abedrabbo added a comment - The problem is that Wss4j seems to be overzealous in its processing of ws-security headers. I'm not aware of a simple way of instructing it to ignore certificates. However there seems to be a (rather complicated) workaround. You can write your own Wss4j signature processor. Then you can subclass Wss4jSecurityInetceptor, redefine the validateMessage method and pass your signature processor to the WSSecurityEngine instance (via an appropriate WSSConfig). I'd be glad to know if there's a simpler solution.
        arjen.poutsma Arjen Poutsma made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Won't Fix [ 2 ]
        Hide
        olo Aleksander Adamowski added a comment -

        As far as I've observed, it's enough to have the CA certificate present in server's keystore. It's not necessary to impoert all possible client certificates. That's what PKI is for.

        So if you set up proper PKI, the issue is non existent.

        On the other hand, if you don't have PKI and use self-signed client certificates, what good is such security?

        If the server would trust any arbitrary certificate that the client would send in, then that wouldn't prove the identity od the sender in any way and beat the purpose of the whole signing mechanism.

        The encryption mechanism's purpose would be beaten too, as a consequence of the fact that if you accept any certificate without validation, an attacker can mount man-in-the middle attacks against the encryption securement, so then the encryption doesn't offer any added security either.

        So Robert, what you propose would effectively be not more secure than simply using no WS-Security whatsoever at all.

        But it would be much more complex and require much more work to develop and maintain for a security layer which doesn't do its job.

        Show
        olo Aleksander Adamowski added a comment - As far as I've observed, it's enough to have the CA certificate present in server's keystore. It's not necessary to impoert all possible client certificates. That's what PKI is for. So if you set up proper PKI, the issue is non existent. On the other hand, if you don't have PKI and use self-signed client certificates, what good is such security? If the server would trust any arbitrary certificate that the client would send in, then that wouldn't prove the identity od the sender in any way and beat the purpose of the whole signing mechanism. The encryption mechanism's purpose would be beaten too, as a consequence of the fact that if you accept any certificate without validation, an attacker can mount man-in-the middle attacks against the encryption securement, so then the encryption doesn't offer any added security either. So Robert, what you propose would effectively be not more secure than simply using no WS-Security whatsoever at all. But it would be much more complex and require much more work to develop and maintain for a security layer which doesn't do its job.
        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        Closing old issues

        Show
        arjen.poutsma Arjen Poutsma added a comment - Closing old issues
        arjen.poutsma Arjen Poutsma made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        16d 22h 45m 1 Arjen Poutsma 22/Sep/08 12:40 AM
        Resolved Resolved Closed Closed
        1320d 6h 23m 1 Arjen Poutsma 04/May/12 7:03 AM

          People

          • Assignee:
            tareq Tareq Abedrabbo
            Reporter:
            novotnyr Robert Novotny
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: