The Spring Web Services class org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler implements X509 certificate validation with method handleCertificateValidationCallback(), which in turn uses an instance of the inner class KeyStoreCertificateValidator. The validate() method of KeyStoreCertificateValidator creates an instance of java.security.cert.PKIXBuilderParameters. The current implementation (I checked up to version Spring WS 2.1.4) calls setRevocationEnabled(false), i.e. certificate revocation checking of the PKIX service provider is turned off.
The revocation checking feature of the callback handler bean needs to be configurable as a bean property. There are other aspects of PKIXBuilderParameters that control the behavior of the PKIX service provider with respect to certificate validation. Therefore, it seems to be appropriate to allow the application to supply a configured instance of PKIXBuilderParameters.
Work-around: class KeyStoreCallbackHandler uses final methods and private inner classes. Therefore the revocation checking behavior cannot be changed in a class extension. I had to copy the class and modify line 648 to pass the value of a bean property isRevocationEnabled instead of false.