Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-52

ACEGI authorization with IssuerSerial-based certificates


    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 1.0 M2
    • Fix Version/s: 1.0 M3
    • Component/s: None
    • Labels:


      It is not possible to perform ACEGI certificate-based processing in Spring-WS (1.0 M2) when the certificate is not embedded in the header of the SOAP message.

      When a certificate is embedded in a message, only CertificateValidationCallbacks are passed to the callback handlers. When a certificate is not embedded in the message (i.e., IssuerSerial reference), only SignatureVerificationKeyCallbacks are passed to the handlers. The KeyStoreCallbackHandler understands this one, and it does its job just fine: the certificate is found if already known to the server. The problem is that the ACEGI handler (AcegiCertificateValidationCallbackHandler) is not invoked, since it only understands the CertificateValidationCallback. So there is no way to configure the ACEGI security context unless the certificate is embedded in the message.

      Possible solutions:

      • Modify AcegiCertificateValidationCallbackHandler to also process SignatureVerificationKeyCallback
      • Create and use a new handler to perform ACEGI processing that accepts SignatureVerificationKeyCallback
      • Somehow cause XWSS to fire off a CertificateValidationCallback when the certificate is IssuerSerial


          Issue Links



              • Assignee:
                arjen.poutsma Arjen Poutsma
                wlsmith Wayne L. Smith
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: