Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-426

Allow Wss4jSecurityInterceptor to accept arbitrary client certificate in validation phase

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Trivial
    • Resolution: Won't Fix
    • Affects Version/s: 1.5.4
    • Fix Version/s: 1.5.5
    • Component/s: Security
    • Labels:
      None
    • Environment:
      Wss4j 1.5.4

      Description

      Imagine a webservice which uses encrypted request and response message. Client can sign the message by its private key and attach its certificate which will be used on the server side to encrypt a response message. (This correspons to the Binary Security tokens or DirectReference option and can be achieved by setting "useReqSigCert" for securementEncryption user). However, Wss4j interceptor tries to validate the incoming client certificate against the Crypto specified in validationSignatureCrypto. Consequently, this requires a keystore which contains the client certificate, thus complicating client certificate management.

      Wss4j could introduce an option which would accept arbitrary client certificate on validation.

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            tareq Tareq Abedrabbo
            Reporter:
            novotnyr Robert Novotny
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: