Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-426

Allow Wss4jSecurityInterceptor to accept arbitrary client certificate in validation phase


    • Type: New Feature
    • Status: Closed
    • Priority: Trivial
    • Resolution: Won't Fix
    • Affects Version/s: 1.5.4
    • Fix Version/s: 1.5.5
    • Component/s: Security
    • Labels:
    • Environment:
      Wss4j 1.5.4


      Imagine a webservice which uses encrypted request and response message. Client can sign the message by its private key and attach its certificate which will be used on the server side to encrypt a response message. (This correspons to the Binary Security tokens or DirectReference option and can be achieved by setting "useReqSigCert" for securementEncryption user). However, Wss4j interceptor tries to validate the incoming client certificate against the Crypto specified in validationSignatureCrypto. Consequently, this requires a keystore which contains the client certificate, thus complicating client certificate management.

      Wss4j could introduce an option which would accept arbitrary client certificate on validation.


        novotnyr Robert Novotny created issue -
        arjen.poutsma Arjen Poutsma made changes -
        Field Original Value New Value
        Fix Version/s 1.5.5 [ 11067 ]
        arjen.poutsma Arjen Poutsma made changes -
        Assignee Arjen Poutsma [ arjen.poutsma ] Tareq Abed Rabbo [ tareq ]
        arjen.poutsma Arjen Poutsma made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Won't Fix [ 2 ]
        arjen.poutsma Arjen Poutsma made changes -
        Status Resolved [ 5 ] Closed [ 6 ]


          • Assignee:
            tareq Tareq Abedrabbo
            novotnyr Robert Novotny
          • Votes:
            0 Vote for this issue
            1 Start watching this issue


            • Created: