[SWS-853] KeyStoreCallbackHandler should allow the configuration of PKIXBuilderParameters, specifically to enable revocation checking Created: 25/Nov/13  Updated: 20/Mar/14  Resolved: 03/Feb/14

Status: Resolved
Project: Spring Web Services
Component/s: None
Affects Version/s: 2.1 GA, 2.1.4
Fix Version/s: 2.2.RC1

Type: Improvement Priority: Critical
Reporter: J├╝rgen Failenschmid Assignee: Arjen Poutsma
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Reference URL: http://forum.spring.io/forum/spring-projects/web-services/726232-certificate-revocation-support-in-web-services-xwss-2-1

 Description   

The Spring Web Services class org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler implements X509 certificate validation with method handleCertificateValidationCallback(), which in turn uses an instance of the inner class KeyStoreCertificateValidator. The validate() method of KeyStoreCertificateValidator creates an instance of java.security.cert.PKIXBuilderParameters. The current implementation (I checked up to version Spring WS 2.1.4) calls setRevocationEnabled(false), i.e. certificate revocation checking of the PKIX service provider is turned off.

The revocation checking feature of the callback handler bean needs to be configurable as a bean property. There are other aspects of PKIXBuilderParameters that control the behavior of the PKIX service provider with respect to certificate validation. Therefore, it seems to be appropriate to allow the application to supply a configured instance of PKIXBuilderParameters.

Work-around: class KeyStoreCallbackHandler uses final methods and private inner classes. Therefore the revocation checking behavior cannot be changed in a class extension. I had to copy the class and modify line 648 to pass the value of a bean property isRevocationEnabled instead of false.



 Comments   
Comment by Arjen Poutsma [ 03/Feb/14 ]

Fixed.

Generated at Thu Dec 14 02:05:58 UTC 2017 using JIRA 6.4.14#64029-sha1:ae256fe0fbb912241490ff1cecfb323ea0905ca5.