Versions Compared

Old Version 13

changes.mady.by.user Andrei Shakirin

Saved on

compared with

New Version 14

changes.mady.by.user Andrei Shakirin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
xml
xml
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:cxf="http://cxf.apache.org/core" xmlns:jaxws="http://cxf.apache.org/jaxws"
    xmlns:test="http://apache.org/hello_world_soap_http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="
        http://cxf.apache.org/core
        http://cxf.apache.org/schemas/core.xsd
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
        http://cxf.apache.org/jaxws                                     
        http://cxf.apache.org/schemas/jaxws.xsd
        http://www.springframework.org/schema/util
        http://www.springframework.org/schema/util/spring-util-2.0.xsd">


    <bean id="dateValidator" class="org.apache.cxf.xkms.x509.validator.DateValidator" />

    <bean id="trustedAuthorityValidator"
        class="org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator">
        <constructor-arg ref="certificateRepo" />
    </bean>

    <bean id="x509Locator" class="org.apache.cxf.xkms.x509.handlers.X509Locator">
        <constructor-arg ref="certificateRepo" />
    </bean>

    <bean id="x509Register"
        class="org.apache.cxf.xkms.x509.handlers.x509Register">
        <constructor-arg ref="certificateRepo" />
    </bean>


    <!-- LDAP based implementation -->

    <bean id="certificateRepo"
        class="org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo">
        <constructor-arg ref="ldapServerldapServerConfig" />
        <constructor-arg ref="ldapSchemaConfig" />
        <constructor-arg value="dc=example,dc=com" />
    </bean>

    <bean id="ldapServerldapServerConfig" class="org.apache.cxf.xkms.x509.repo.ldap.LdapServerLdapServerConfig">
        <constructor-arg value="ldap://localhost:2389" />
        <constructor-arg value="cn=Directory Manager,dc=example,dc=com" />
        <constructor-arg value="test" />
        <constructor-arg value="2" />
    </bean>

    <bean id="ldapSchemaConfig" class="org.apache.cxf.xkms.x509.repo.ldap.LdapSchemaConfig">
        <property name="certObjectClass" value="inetOrgPerson" />
        <property name="attrUID" value="uid" />
        <property name="attrIssuerID" value="manager" />
        <property name="attrSerialNumber" value="employeeNumber" />
        <property name="attrCrtBinary" value="userCertificate;binary" />
        <property name="constAttrNamesCSV" value="sn" />
        <property name="constAttrValuesCSV" value="X509 certificate" />
        <property name="serviceCertRDNTemplate" value="cn=%s,ou=services" />
        <property name="serviceCertUIDTemplate" value="cn=%s" />
	<property name="trustedAuthorityFilter" value="(&#038;(objectClass=inetOrgPerson)(ou:dn:=CAs))" />
	<property name="intermediateFilter" value="(objectClass=inetOrgPerson)" />
    </bean>


    <!-- File based implementation -->

    <!-- bean id="certificateRepo"
        class="org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo">
        <constructor-arg value="../conf/certs" />
    </bean-->

</beans>

dateValidator and trustedAuthorityValidator beans are implementations of Validator interface for validity date and trusted chain validation.
x509Locator and x509Register are implementations of Locator and Register interfaces for X509 certificates.
certificateRepo is repository implementation for LDAP backend. LdapServerConfig and LdapSchemaConfig contain LDAP configuration described in the following table:

Property

Sample Value

Description

ldapServerConfig arguments

 

URL, baseDN and credentials of LDAP Server

certObjectClass

inetOrgPerson

LDAP object class used to store certificates

attrUID

uid

Attribute containing X509 subject DN

attrIssuerID

manager

LDAP attribute containing X509 issuer DN

attrSerialNumber

employeeNumber

LDAP attribute containing X509 serial number

attrCrtBinary

userCertificate

LDAP attribute containing X509 certificate content

constAttrNamesCSV

sn

Comma separated list of mandatory LDAP attributes

constAttrValuesCSV

X509 certificate

Comma separated list of mandatory LDAP attributes values

serviceCertRDNTemplate

cn=%s,ou=services

Relative distinguished name for service certificates

serviceCertUIDTemplate

cn=%s

Template to transform service QName to DN for storing into attrUID

trustedAuthorityFilter

(&(objectClass=inetOrgPerson)(ou:dn:=CAs))

Filter to determine trusted CAs for trusted chain validation

intermediateFilter

(objectClass=inetOrgPerson)

Filter to determine intermediate certificates for trusted chain validation

Integration XKMS client into CXF security.

...