Skip to main content

how to implement a different serverside keystore mechanism?

1 reply [Last post]
Stephan Schröde...
Offline
Joined: 2011-01-07
Points: 0

hi,

turns out there is a whole different problem layer i didn't grasp last week.
So we want to use secure webserives with Mutual Certificates Security. The server is supposed to issue time-limited certificates for the clients on the fly.
I was told that this on-the-fly-part was a problem because applications in production settings were not supposed to dynamically add trusted persons/modify the keystore file.
Therefore the idea was to plugin our own serverside keystore mechanism, that doesn't look for the certificate in a keystore file but in our "keystore database".
1) Is it possible to plugin this functionality? (we use glassfish v3.1 b33)
2) How do i access from within the webservice the certificate being used to be able to retrieve the user currently accessing the webservice? (This should just be a call to our "keystore database" once i have the client, isn't it?)

regards,
Stephan

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
markus_franke
Offline
Joined: 2007-10-10
Points: 0

<p>ad 1) We use in a Metro + Jetty deployment the following keystore / truststore configuration:</p><p>&lt;sc:keystore callbackhandler=&quot;MyKeyStoreCallbackHandler&quot; <br />    xmlns:sc=&quot;http:// schemas.sun.com/2006/03/wss/server&quot;&gt;<br />&lt;/sc:keystore&gt;<br />&lt;sc:truststore callbackhandler=&quot;MyKeyStoreCallbackHandler&quot; <br />    xmlns:sc=&quot;<a href="http://schemas.sun.com/2006/03/wss/server">http://schemas.sun.com/2006/03/wss/server</a>&quot;&gt;<br />&lt;/sc:truststore&gt;</p><p>whereas MyKeyStoreCallbackHandler does something like</p><pre>
import java.io.IOException; import java.security.KeyStore;
import java.security.PrivateKey; import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.message.callback.TrustStoreCallback;
import com.sun.xml.wss.impl.callback.KeyStoreCallback;
import com.sun.xml.wss.impl.callback.PrivateKeyCallback;
public class MyKeyStoreCallbackHandler implements CallbackHandler {
public MyKeyStoreCallbackHandler() throws ConfigException, IOException {
    // Read configuration and connect to DB ...
}
public final void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    for (Callback callback : callbacks) {
        if (callback instanceof KeyStoreCallback) {
            final KeyStoreCallback cb = (KeyStoreCallback) callback;
            KeyStore ks = null;
            try {
                ks = db.getKeystore(...);
            } catch (Exception e) {
            }
            cb.setKeystore(ks);
        } else if (callback instanceof PrivateKeyCallback) {
            final PrivateKeyCallback cb = (PrivateKeyCallback) callback;
            try {
                cb.setKey((PrivateKey) cb.getKeystore().getKey(cb.getAlias(), password));
            } catch (Exception e) {
            }
        } else if (callback instanceof TrustStoreCallback) {
             final TrustStoreCallback cb = (TrustStoreCallback) callback;
             KeyStore ks = null;
             try {
                ks = db.getKeystore(...);
             } catch (Exception e) {
             }
             cb.setTrustStore(ks);
        } else {
            throw new UnsupportedCallbackException(callback, &quot;Unsupported callback type encountered&quot;);
        }
    }
}

See also "Dynamic KeyStore Configuration" chapter in http://weblogs.java.net/blog/kumarjayanti/archive/2009/06/security_token...
ad 2) Just use
import javax.security.auth.Subject;
import javax.xml.ws.handler.MessageContext;
import com.sun.xml.wss.SubjectAccessor;
Subject requesterSubject = SubjectAccessor.getRequesterSubject(messageContext)
and dump the contents. The X509Certificate is contained in its public credentials.