Versions Compared

Old Version 14

changes.mady.by.user Claus Ibsen

Saved on

compared with

New Version 15

changes.mady.by.user Rich Newcomb

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The XMLSecurity DataFormat facilitates encryption and decryption of XML payloads at the Document, Element and Element Content levels (including simultaneous multi-node encryption/decryption using XPATH).

The encrytion encryption capability is based on formats supported using the Apache XML Security (Santaurio) project. EncryptionSymmetric encryption/Decryption cecryption is " currently " supported using Triple-DES and AES (128, 192 and 256) encryption formats. Additional formats can be easily added later as needed.  (Note: The support currently offered is for symmetric encryption. This means the same keyset is needed at both ends of the communication to encrypt/decrypt payloads).
The capability allows Camel users to encrypt/decrypt payloads while being dispatched or received along a route. 

Available as of Camel 2.9
The XMLSecurity DataFormat supports asymmetric key encryption. In this encryption model a symmetric key is generated and used to perform XML content encryption or decryption. This "content encryption key" is then itself encrypted using an asymmetric encryption algorithm that leverages the recipient's public key as the "key encryption key". Use of an asymmetric key encryption algorithm ensures that only the holder of the recipient's private key can access the generated symmetric encryption key. Thus, only the private key holder can decode the message. The XMLSecurity DataFormat handles all of the logic required to encrypt and decrypt the message content and encryption key(s) using asymmetric key encryption.

The XMLSecurity DataFormat also has improved support for namespaces when processing the XPath queries that select content for encryption. A namespace definition mapping can be included as part of the data format configuration. This enables true namespace matching, even if the prefix values in the XPath query and the target xml document are not equivalent strings.

Basic Options

Option

Default

Description

secureTag

null

The XPATH reference to the XML Element selected for encryption/decryption. If no tag is specified, the entire payload is encrypted/decrypted.

secureTagContents

false

A boolean value to specify whether the XML Element is to be encrypted or the contents of the XML Element

  • false = Element Level
  • true = Element Content Level

passPhrase

null

A String used as passPhrase to encrypt/decrypt content. The passPhrase has to be provided. If no passPhrase is specified, a default passPhrase is used. The passPhrase needs to be put together in conjunction with the appropriate encryption algorithm. For example using TRIPLEDES the passPhase can be a "Only another 24 Byte key"

xmlCipherAlgorithm

TRIPLEDES

The cipher algorithm to be used for encryption/decryption of the XML message content. The available choices are:

  • XMLCipher.TRIPLEDES
  • XMLCipher.AES_128
  • XMLCipher.AES_192
  • XMLCipher.AES_256

namespaces

none

A map of namespace values indexed by prefix. The index values must match the prefixes used in the secureTag XPath query.

Asymmetric Encryption Options

These options can be applied in addition to relevant the Basic options to use asymmetric key encryption.

Option

Default

Description

recipientKeyAlias

none

The key alias to be used when retrieving the recipient's public or private key from a KeyStore when performing asymmetric key encryption or decryption

keyCipherAlgorithm

none

The cipher algorithm to be used for encryption/decription of the asymmetric key. The available choices are:

  • {{ XMLCipher.RSA_v1dot5 }}
  • {{ XMLCipher.RSA_OAEP}}

keyOrTrustStoreParameters

none

Configuration options for creating and loading a KeyStore instance that represents the sender's trustStore or recipient's keyStore.

Marshal

In order to encrypt the payload, the marshal processor needs to be applied on the route followed by the secureXML() tag.

...

Code Block
import org.apache.xml.security.encryption.XMLCipher;
....
String tagXPATH = "//cheesesites/italy/cheese";
boolean secureTagContent = true;
String passPhrase = "Just another 24 Byte key";
String algorithm= XMLCipher.TRIPLEDES;
from("direct:start").
    marshal().secureXML(tagXPATH , secureTagContent , passPhrase, algorithm).
    unmarshal().secureXML(tagXPATH , secureTagContent, passPhrase, algorithm).
to("direct:end");

Partial Paryload Content with Namespace support

Java DSL
Code Block

final Map<String, String> namespaces = new HashMap<String, String>();
namespaces.put("cust", "http://cheese.xmlsecurity.camel.apache.org/");

final KeyStoreParameters tsParameters = new KeyStoreParameters();
tsParameters.setPassword("password");
tsParameters.setResource("sender.ts");

context.addRoutes(new RouteBuilder() {
    public void configure() {
        from("direct:start")
           .marshal().secureXML("//cust:cheesesites/italy", namespaces, true, "recipient", testCypherAlgorithm, XMLCipher.RSA_v1dot5, tsParameters).to("mock:encrypted");
    }
}
Spring XML

A namespace prefix that is defined as part of the camelContext definition can be re-used in context within the data format secureTag attribute of the secureXML element.

Code Block

    <camelContext id="springXmlSecurityDataFormatTestCamelContext" 
                  xmlns="http://camel.apache.org/schema/spring"
                  xmlns:cheese="http://cheese.xmlsecurity.camel.apache.org/">        
        <route>
            <from uri="direct://start"/>
                 <marshal>
                    <secureXML
                        secureTag="//cheese:cheesesites/italy"
                        secureTagContents="true" />
                 </marshal> 
		...

Asymmetric Key Encryption

Spring XML Sender
Code Block

    <!--  trust store configuration -->                          
    <camel:keyStoreParameters id="trustStoreParams" resource="./sender.ts" password="password"/>

    <camelContext id="springXmlSecurityDataFormatTestCamelContext" 
                  xmlns="http://camel.apache.org/schema/spring"
                  xmlns:cheese="http://cheese.xmlsecurity.camel.apache.org/">        
        <route>
            <from uri="direct://start"/>
                 <marshal>
                    <secureXML
                        secureTag="//cheese:cheesesites/italy"
                        secureTagContents="true"
                        xmlCipherAlgorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"       
                        keyCipherAlgorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
                        recipientKeyAlias="recipient"
                        keyOrTrustStoreParametersId="trustStoreParams" />
                </marshal> 
		...
Spring XML Recipient
Code Block
 
    <!--  key store configuration -->
    <camel:keyStoreParameters id="keyStoreParams" resource="./recipient.ks" password="password" />

    <camelContext id="springXmlSecurityDataFormatTestCamelContext" 
                  xmlns="http://camel.apache.org/schema/spring"
                  xmlns:cheese="http://cheese.xmlsecurity.camel.apache.org/">
        <route>    
            <from uri="direct://encrypted"/>
                <unmarshal>
                    <secureXML
                        secureTag="//cheese:cheesesites/italy"
                        secureTagContents="true"
                        xmlCipherAlgorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"
                        keyCipherAlgorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
                        recipientKeyAlias="recipient"
                        keyOrTrustStoreParametersId="keyStoreParams" />
                </unmarshal>
                ...

Dependencies

This data format is provided in the camel-xmlsecurity component.