Skip to main content

Configure keystore at runtime

12 replies [Last post]
dloiacono
Offline
Joined: 2005-04-11

Hi all,
I'm working on Java client application that invoke Web Services with Metro 1.1 Stack.
The user logon in the application with a x509 certificate and request a service.
That certificate must be used to proof user identity on server side.

How can I configure the keystore and the alias for client certificate in a dynamic manner avoiding to set this information into wsit file configuration?

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
kumarjayanti
Offline
Joined: 2003-12-10

Hi,

Can you see the following :

https://wsit.dev.java.net/issues/show_bug.cgi?id=844

We have introduced a CallbackHandler for getting the Keystore and PrivateKey's.

Thanks.

dloiacono
Offline
Joined: 2005-04-11

Thanks, it's a good news.

ernestojpg
Offline
Joined: 2005-10-09

Hi!

To define your own WSIT xwssCallbackHandler in an easy way you only need to copy the '[i]XWSSCallbackHandler.java[/i]' file (attached) to your proyect folder, and to change your WSIT config file in this form:

[i]

[/i]

Where '[i]handlers.XWSSCallbackHandler[/i]' is the fully qualified classname of our XWSSCallbackHandler class.

In this form all the Callbacks and Validations are managed in our XWSSCallbackHandler class, and we could manage the callbacks we want. In addition, we can set the WSIT config properties in a programmatic way.

Regards.

dukin
Offline
Joined: 2010-04-14

Hello,

did you remove your attachment? Can I also have it? It would help me a lot. Thanks!

ernestojpg
Offline
Joined: 2005-10-09

I created my own [i]xwssCallbackHandler[/i] in a very easy way. I used an instance of [i]DefaultCallbackHandler[/i] (passing to it my own properties during instantiation), and I delegated to it all calls.

In this form, I can configure all KeyStore configuration programatically. If anyone interested I can paste the code.

Regards.

dloiacono
Offline
Joined: 2005-04-11

Can you post your code please?

kumarjayanti
Offline
Joined: 2003-12-10

The Alias can be selected dynamically using an aliasSelector instead of an alias. Please see the following article : https://xwss.dev.java.net/articles/security_config.html

location={absolute path to keystore file}
type={type of the keystore (default is JKS)}?
storepass={the password of the keystore as a string, OR a fully qualified classname of a
class implementing javax.security.auth.callback.CallbackHandler and that handles
the javax.security.auth.callback.PasswordCallback}
aliasSelector={the fully qualified classname of a class implementing
com.sun.xml.wss.AliasSelector interface}?
/>

For The keystore location :

When using WSIT on GlassFish (the DefaultCallbackHandler on GlassFish is used and it is based on the JSR 196 model), the need to specify the Keystore Location and Keystore Password and Keystore Type is eliminated. The Only thing one ever needs to specify in case of GlassFish is the alias information. So you can use the default JSR 196 CallbackHandler which knows where the keystore and truststore are located or else you can specify your own JSR 196 based CBH.

So are you running on GlassFish or some other container ?.

If you are running on some other container then the only way for you is to supply your own CallbackHandler : https://xwss.dev.java.net/articles/security_config.html#Can_I_Specify_My...

Override the WSIT DefaultCallbackHandler which is used for Non-GlassFish Containers.

On the Client Side :



Writing an xwssCallbackHandler can be cumbersome so you would need to either look at the DefaultCallbackHandler.java in WSIT or just start with a skeleton impl and then experiment what all Callbacks are being made by the runtime for your Application and then handle those in your xwssCallbackHandler.

dloiacono
Offline
Joined: 2005-04-11

I'm working on a standalone Java client with Metro 1.1 libraries in bundle that invokes some .Net web services. I'm not using an app server container.

So the solution is to write a custom xwssCallbackHandler to select the correct x509 certificate at runtime.



It's right?

kumarjayanti
Offline
Joined: 2003-12-10

No this is not correct, the only supported callbackHandler types are mentioned in the article. and CertificateCallbackHandler is not something that we support.

But you can first try the aliasSelector approach to select the alias dynamically, keeping the location constant.

Or try and follow the suggestion by ernesto (below)

kumarjayanti
Offline
Joined: 2003-12-10

although we plan to uniformly support JSR 196 based callbacks for all Containers in near future,

your usage of a CertificateCallbackhandler is probably what we can add in the interim period to avoid the difficulty of you having to completely override the default WSIT CBH.

dloiacono
Offline
Joined: 2005-04-11

It can be a solution to my scenario configure a CertSore on client side and write some java class ?

https://xwss.dev.java.net/articles/security_config.html#CertStore_Config...

callbackHandler="{fully qualified ClassName of a class that implements
javax.security.auth.callback.CallbackHandler interface and handles
the com.sun.xml.wss.impl.callback.CertStoreCallback}"
certSelector="{fully qualified ClassName of a class that implements
the java.security.cert.CertSelector interface}"
/>

kumarjayanti
Offline
Joined: 2003-12-10

The certstore is not a replacement for Keystore. It is only used to locate other party certificates. To locate the key-pair (privatekey, cert) of the client you would still need to use a keystore.