[SWS-426] Allow Wss4jSecurityInterceptor to accept arbitrary client certificate in validation phase Created: 05/Sep/08 Updated: 04/May/12 Resolved: 22/Sep/08
|Project:||Spring Web Services|
|Reporter:||Robert Novotny||Assignee:||Tareq Abedrabbo|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
Imagine a webservice which uses encrypted request and response message. Client can sign the message by its private key and attach its certificate which will be used on the server side to encrypt a response message. (This correspons to the Binary Security tokens or DirectReference option and can be achieved by setting "useReqSigCert" for securementEncryption user). However, Wss4j interceptor tries to validate the incoming client certificate against the Crypto specified in validationSignatureCrypto. Consequently, this requires a keystore which contains the client certificate, thus complicating client certificate management.
Wss4j could introduce an option which would accept arbitrary client certificate on validation.
|Comment by Tareq Abedrabbo [ 14/Sep/08 ]|
The problem is that Wss4j seems to be overzealous in its processing of ws-security headers. I'm not aware of a simple way of instructing it to ignore certificates.
|Comment by Aleksander Adamowski [ 26/May/09 ]|
As far as I've observed, it's enough to have the CA certificate present in server's keystore. It's not necessary to impoert all possible client certificates. That's what PKI is for.
So if you set up proper PKI, the issue is non existent.
On the other hand, if you don't have PKI and use self-signed client certificates, what good is such security?
If the server would trust any arbitrary certificate that the client would send in, then that wouldn't prove the identity od the sender in any way and beat the purpose of the whole signing mechanism.
The encryption mechanism's purpose would be beaten too, as a consequence of the fact that if you accept any certificate without validation, an attacker can mount man-in-the middle attacks against the encryption securement, so then the encryption doesn't offer any added security either.
So Robert, what you propose would effectively be not more secure than simply using no WS-Security whatsoever at all.
But it would be much more complex and require much more work to develop and maintain for a security layer which doesn't do its job.
|Comment by Arjen Poutsma [ 04/May/12 ]|
Closing old issues