Home/ Questions/Q 4113758
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T22:22:02+00:00

I have generated stubs and bindings using cxf codegen. Everything runs fine however the

  • 0

I have generated stubs and bindings using cxf codegen. Everything runs fine however the server still rejects the message because of security issues. Basically I have 3 layers to take care all of which require certificates (which I have).

  1. SSL Encryption on the pipe
  2. certificate signature on specific data element
  3. certificate XML Signature on the payload data.

To spice up the soup somewhat I do not have full control on the actual signature and certificates. Basically I have to extract the proper data, send it off to be signed and I have to re-inject the signed data in the transaction.

The certificates I do have access are in the Windows certificate store of the local machine (SSL and some signature)

Reading the documentation the framework seems to rely heavily on config voodoo magic. Unfortunately most of the links I have found spend a lot of time explaining in details how to generate the certificates but are rather skimp on how we actually get to use them.

Using CXF how do I achieve this ?

How do I access the proper hooks and with what code can I inject a signature on the message ?

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Turned out CXF has all the capability to generate a proper signature from the start. Our problem was that the receiving end of the signature does not accept this standard signature. We had to create a custom signature system that ensures all the nit-pickiness and esoteric hocus-pocus required by the server‘s poor implementation to be in place. Namespace prefix had to be set to a very specific value regardless of the namespace declaration of the transaction. Whitespace had to be sometimes trimmed sometimes not etc…

    We therefore created an interceptor and injected it in the out interceptor list and that was it. Actually it was a tad bit more complicated because they insisted the soap transaction be signed with a certificate located on the USB key of the end-user. Our system centralises all interfaces so we had to juggle around a bit further to make it work but in the end all is good.

    I though the goal of using a standard was to provide a standard mean to do things, well… Some people it seems think they are better experts than the experts that create the standard and insist on adding their own pickle to the jar. someone should tell them adding pickles to raspberry jam does not make it taste better.

    • 0