Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-52

ACEGI authorization with IssuerSerial-based certificates

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 1.0 M2
    • Fix Version/s: 1.0 M3
    • Component/s: None
    • Labels:
      None

      Description

      It is not possible to perform ACEGI certificate-based processing in Spring-WS (1.0 M2) when the certificate is not embedded in the header of the SOAP message.

      When a certificate is embedded in a message, only CertificateValidationCallbacks are passed to the callback handlers. When a certificate is not embedded in the message (i.e., IssuerSerial reference), only SignatureVerificationKeyCallbacks are passed to the handlers. The KeyStoreCallbackHandler understands this one, and it does its job just fine: the certificate is found if already known to the server. The problem is that the ACEGI handler (AcegiCertificateValidationCallbackHandler) is not invoked, since it only understands the CertificateValidationCallback. So there is no way to configure the ACEGI security context unless the certificate is embedded in the message.

      Possible solutions:

      • Modify AcegiCertificateValidationCallbackHandler to also process SignatureVerificationKeyCallback
      • Create and use a new handler to perform ACEGI processing that accepts SignatureVerificationKeyCallback
      • Somehow cause XWSS to fire off a CertificateValidationCallback when the certificate is IssuerSerial

        Issue Links

          Activity

          Hide
          arjen.poutsma Arjen Poutsma added a comment -

          I'm afraid I can't fix this.

          Basically, a SignatureVerificationKeyCallback requires a certificate to be set on it based some properties, it cannot be retrieved from it (yet). Acegi requires a certificate in order to validate. And like you said in the forum, there are no more callbacks after the key verification, XWSS uses internal mechanics to validate the certifificate.

          This means that that the only way to make it work is to create a tight coupling between the KeyStoreCallbackHandler and the AcegiCertificateValidationCallbackHandler, so that when the certificate is loaded from the key store, it is passed to Acegi first. I don't really like that solution.

          Hopefully, SUN will release a new version of XWSS soon, which can fix this.

          Show
          arjen.poutsma Arjen Poutsma added a comment - I'm afraid I can't fix this. Basically, a SignatureVerificationKeyCallback requires a certificate to be set on it based some properties, it cannot be retrieved from it (yet). Acegi requires a certificate in order to validate. And like you said in the forum, there are no more callbacks after the key verification, XWSS uses internal mechanics to validate the certifificate. This means that that the only way to make it work is to create a tight coupling between the KeyStoreCallbackHandler and the AcegiCertificateValidationCallbackHandler, so that when the certificate is loaded from the key store, it is passed to Acegi first. I don't really like that solution. Hopefully, SUN will release a new version of XWSS soon, which can fix this.

            People

            • Assignee:
              arjen.poutsma Arjen Poutsma
              Reporter:
              wlsmith Wayne L. Smith
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: