I have somewhat of a problem.
We have a centralized interface engine that will talk to a web service that will provide information complement and allow to submit request to external systems. All this is good and fine until we have to integrate this with the required security from this provider.
They issue certificates distributed through smart cards (usb key) that the end user must use to have the software interact with said system (the web services). They insist that the (sometimes multiple) signature be done against the end-user`s certificate on his usb key. The private key is, of course, password protected.
How do I connect Axis2 that will ultimately handle all this to the certifi开发者_如何学Pythoncates that are on the end-user`s computer.
The system is mostly legacy thick client application in Delphi 5, the interface engine interacts mostly with the database. Now we have managed to connect a piece of code that effectively connects the end-user`s station to the interface server via a simple TCP socket.
---- EDIT ----
We implemented the solution with customized signature interceptor within CXF (we changed from Axis) that forwarded the message content to a signature proxy which in turn would find and connect the right signature service running on the user-interactive session where the original request came from.
I accepted Eugene's answer because even though we did not use the components he specified we did implement the solution that followed his proposal's general guidelines.
There is no escaping the fact that the signature has to be done in a user-interactive session because of the USB token. Additional constraints were imposed due to the fact we used legacy systems and to the need to have the system work in a shared environment (Remote desktop server). Though it is possible it is not naturally supported by the web service frameworks or cryptographic libraries.
If you have the certificate residing on the client's USB token, then signing (as cryptographic operation) must be performed on the client side. If you can modify this Delphi application, then you can use SecureBlackbox for signing. I know nothing about Axis2, but if it allows creation and plugging custom cryptographic modules, then you make one that will take a hash (which is what is actually signed) and send it to the client for signing.
精彩评论