-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathrsu-policy-sign.xml
148 lines (138 loc) · 7.37 KB
/
rsu-policy-sign.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml"/>
<!-- Handle secure / TLS Transport
The keystore client-truststore.jks contains the SSL cert. for the test system
as a trusted certificate.
For more information please see:
http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html
-->
<http:conduit name="*.http-conduit">
<!-- Set timeout to 3 minutes -->
<http:client Connection="Keep-Alive"
MaxRetransmits="1"
AllowChunking="false"
ConnectionTimeout="180000"/>
<http:tlsClientParameters>
<sec:keyManagers keyPassword="storepassword">
<sec:keyStore file="keystore/client-truststore.jks"
password="storepassword" type="JKS"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore file="keystore/client-truststore.jks"
password="storepassword" type="JKS"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- The following is just sample configuration.
The unix command nmap will list the currently support ciphers, e.g.:
nmap -script ssl-enum-ciphers -p 443 <FQDN>
-->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
<cxf:bus>
<cxf:inInterceptors>
<bean id="logInbound" class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<!-- Configure WS-Security for RESPONSE -->
<bean id="ResponseWSPolicyFulfillment" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature"/>
<entry key="passwordCallbackClass" value="dk.skat.rsu.b2b.sample.UTPasswordCallback"/>
<!-- Signature Configuration -->
<entry key="signaturePropFile" value="etc/Client_Encrypt.properties"/>
<entry key="signatureKeyIdentifier" value="DirectReference"/>
<entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
</map>
</constructor-arg>
</bean>
</cxf:inInterceptors>
<cxf:outInterceptors>
<!-- Configure WS-Security for REQUEST -->
<bean id="RequestWSPolicyFulfillment" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature"/>
<!-- SKAT: Options =
- valid
- expired
- revoked
-->
<entry key="signatureUser" value="valid"/>
<entry key="passwordCallbackClass" value="dk.skat.rsu.b2b.sample.UTPasswordCallback"/>
<!-- General Configuration -->
<entry key="addInclusivePrefixes" value="false"/>
<!-- Signature Configuration -->
<entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken"/>
<entry key="signatureKeyIdentifier" value="DirectReference"/>
<entry key="signaturePropFile" value="etc/Client_Sign.properties"/>
<entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
</map>
</constructor-arg>
</bean>
<bean id="logOutbound" class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
</cxf:outInterceptors>
</cxf:bus>
<!-- This part is only relevant if the client consumes the effective WSDL of the
running web service. That is, fetches the WSDL from the running system and
in that case we have to ignore certain polices as CXF does not have native
handlers for these policies.
In this sample: the wsdl is fetched locally from the resources directory.
-->
<bean class="org.apache.cxf.ws.policy.IgnorablePolicyInterceptorProvider">
<constructor-arg>
<!-- the list of assertion types that can be ignored -->
<list>
<bean class="javax.xml.namespace.QName">
<constructor-arg value="http://www.bea.com/wls90/security/policy"/>
<constructor-arg value="Confidentiality"/>
</bean>
<bean class="javax.xml.namespace.QName">
<constructor-arg value="http://www.bea.com/wls90/security/policy"/>
<constructor-arg value="Identity"/>
</bean>
<bean class="javax.xml.namespace.QName">
<constructor-arg value="http://www.bea.com/wls90/security/policy"/>
<constructor-arg value="Integrity"/>
</bean>
<bean class="javax.xml.namespace.QName">
<constructor-arg value="http://www.bea.com/wls90/security/policy"/>
<constructor-arg value="MessageAge"/>
</bean>
</list>
</constructor-arg>
</bean>
</beans>