apache cxf - how to resolve client certificates in keystore

Question

I wrote a ws-security service that works very well so far. I have just one problem. My service can only be user from a single client... that is because of the service-config.xml where I need to name the explicit user I want the outgoing message encrypted for. My beans for the service look like this

    <bean id="TimestampSignEncrypt_Request" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
        <constructor-arg>
            <map>
                <!-- Use this action order for local clients -->
                <entry key="action" value="Timestamp Signature Encrypt"/>
                <!-- Use this action spec for WCF clients
               <entry key="action" value="Signature Encrypt Timestamp"/>
               -->
                <entry key="signaturePropFile"
                      value="de/narz/apacheCXFTest/helloWorld/keyManagement/config/alice.properties"/>
                <entry key="decryptionPropFile"
                      value="de/narz/apacheCXFTest/helloWorld/keyManagement/config/bob.properties"/>
                <entry key="passwordCallbackClass"
                      value="de.narz.apacheCXFTest.helloWorld.passwordHandling.PasswordCallbackHandler"/>
            </map>
        </constructor-arg>
    </bean>
    <!--
        WSS4JOutInterceptor for encoding and signing the SOAP response.
        There are some attacks that exploit the "cbc" mode of a Symmetric Encryption Algorithm. WSS4J has support for
         "gcm" mode algorithms as well. This can be specified via WSHandlerConstants.ENC_SYM_ALGO
         ("encryptionSymAlgorithm"), for example to "http://www.w3.org/2009/xmlenc11#aes128-gcm".
   -->
    <bean id="TimestampSignEncrypt_Response" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
        <constructor-arg>
            <map>
                <entry key="action" value="Timestamp Signature Encrypt"/>
                <entry key="user" value="bob"/>
                <entry key="signaturePropFile"
                      value="de/narz/apacheCXFTest/helloWorld/keyManagement/config/bob.properties"/>
                <entry key="encryptionPropFile"
                      value="de/narz/apacheCXFTest/helloWorld/keyManagement/config/alice.properties"/>
                <entry key="signatureKeyIdentifier" value="DirectReference"/>
                <entry key="encryptionUser" value="Alice"/>
                <entry key="passwordCallbackClass"
                      value="de.narz.apacheCXFTest.helloWorld.passwordHandling.PasswordCallbackHandler"/>
                <entry key="signatureParts"
                      value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
                <entry key="encryptionParts"
                      value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
                <entry key="encryptionSymAlgorithm"
                      value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
            </map>
        </constructor-arg>
    </bean>

what can I do to force the service to determine the client alice by itself? Like this my alice-client is the only one that is able to communicate with the server. I want to store several client-keys in my keystore and the service shall determine all by itself which key to use.

would be great if someone can help me. thx

Answer 1

Instead of specifying an "encryptionUser" of "Alice" in your service, you can instead specify an "encryptionUser" of "useReqSigCert". This is a special value that tells CXF/WSS4J to use the client signing certificate for encryption.

Colm.