...
Code Block | ||||
---|---|---|---|---|
| ||||
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:cxf="http://cxf.apache.org/core" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:test="http://apache.org/hello_world_soap_http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation=" http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd"> <bean id="dateValidator" class="org.apache.cxf.xkms.x509.validator.DateValidator" /> <bean id="trustedAuthorityValidator" class="org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator"> <constructor-arg ref="certificateRepo" /> </bean> <bean id="x509Locator" class="org.apache.cxf.xkms.x509.handlers.X509Locator"> <constructor-arg ref="certificateRepo" /> </bean> <bean id="x509Register" class="org.apache.cxf.xkms.x509.handlers.x509Register"> <constructor-arg ref="certificateRepo" /> </bean> <!-- LDAP based implementation --> <bean id="certificateRepo" class="org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo"> <constructor-arg ref="ldapServerldapServerConfig" /> <constructor-arg ref="ldapSchemaConfig" /> <constructor-arg value="dc=example,dc=com" /> </bean> <bean id="ldapServerldapServerConfig" class="org.apache.cxf.xkms.x509.repo.ldap.LdapServerLdapServerConfig"> <constructor-arg value="ldap://localhost:2389" /> <constructor-arg value="cn=Directory Manager,dc=example,dc=com" /> <constructor-arg value="test" /> <constructor-arg value="2" /> </bean> <bean id="ldapSchemaConfig" class="org.apache.cxf.xkms.x509.repo.ldap.LdapSchemaConfig"> <property name="certObjectClass" value="inetOrgPerson" /> <property name="attrUID" value="uid" /> <property name="attrIssuerID" value="manager" /> <property name="attrSerialNumber" value="employeeNumber" /> <property name="attrCrtBinary" value="userCertificate;binary" /> <property name="constAttrNamesCSV" value="sn" /> <property name="constAttrValuesCSV" value="X509 certificate" /> <property name="serviceCertRDNTemplate" value="cn=%s,ou=services" /> <property name="serviceCertUIDTemplate" value="cn=%s" /> <property name="trustedAuthorityFilter" value="(&(objectClass=inetOrgPerson)(ou:dn:=CAs))" /> <property name="intermediateFilter" value="(objectClass=inetOrgPerson)" /> </bean> <!-- File based implementation --> <!-- bean id="certificateRepo" class="org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo"> <constructor-arg value="../conf/certs" /> </bean--> </beans> |
dateValidator and trustedAuthorityValidator beans are implementations of Validator interface for validity date and trusted chain validation.
x509Locator and x509Register are implementations of Locator and Register interfaces for X509 certificates.
certificateRepo is repository implementation for LDAP backend. LdapServerConfig and LdapSchemaConfig contain LDAP configuration described in the following table:
Property | Sample Value | Description |
---|---|---|
ldapServerConfig arguments |
| URL, baseDN and credentials of LDAP Server |
certObjectClass | inetOrgPerson | LDAP object class used to store certificates |
attrUID | uid | Attribute containing X509 subject DN |
attrIssuerID | manager | LDAP attribute containing X509 issuer DN |
attrSerialNumber | employeeNumber | LDAP attribute containing X509 serial number |
attrCrtBinary | userCertificate | LDAP attribute containing X509 certificate content |
constAttrNamesCSV | sn | Comma separated list of mandatory LDAP attributes |
constAttrValuesCSV | X509 certificate | Comma separated list of mandatory LDAP attributes values |
serviceCertRDNTemplate | cn=%s,ou=services | Relative distinguished name for service certificates |
serviceCertUIDTemplate | cn=%s | Template to transform service QName to DN for storing into attrUID |
trustedAuthorityFilter | (&(objectClass=inetOrgPerson)(ou:dn:=CAs)) | Filter to determine trusted CAs for trusted chain validation |
intermediateFilter | (objectClass=inetOrgPerson) | Filter to determine intermediate certificates for trusted chain validation |
Integration XKMS client into CXF security.
...