Resolution: Won't Fix
Affects Version/s: 1.0 M2
Fix Version/s: 1.0 M3
It is not possible to perform ACEGI certificate-based processing in Spring-WS (1.0 M2) when the certificate is not embedded in the header of the SOAP message.
When a certificate is embedded in a message, only CertificateValidationCallbacks are passed to the callback handlers. When a certificate is not embedded in the message (i.e., IssuerSerial reference), only SignatureVerificationKeyCallbacks are passed to the handlers. The KeyStoreCallbackHandler understands this one, and it does its job just fine: the certificate is found if already known to the server. The problem is that the ACEGI handler (AcegiCertificateValidationCallbackHandler) is not invoked, since it only understands the CertificateValidationCallback. So there is no way to configure the ACEGI security context unless the certificate is embedded in the message.
- Modify AcegiCertificateValidationCallbackHandler to also process SignatureVerificationKeyCallback
- Create and use a new handler to perform ACEGI processing that accepts SignatureVerificationKeyCallback
- Somehow cause XWSS to fire off a CertificateValidationCallback when the certificate is IssuerSerial