This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.
No announcement yet.
WSS4J - binary security token examplePage Title Module
Since spring-ws doesn't officially support Certificate Authentication with wss4j at this point (it DOES support it using xwss) it's technically not a bug but a feature request. I would definitely vote for the request though.
Looking through the wss4j forums I saw a post that said the x.509 token profile usage is demonstrated in the "interop" sample application which is shipped with the binary distribution of wss4j 1.5.*. Hope this helps.
As I understand it now, wss4j "Signature" securement/validation action does BOTH signature validation AND x.509 token authentication (aka x.509 token profile). This makes sense b/c in order to validate the signature the server has to validate the x.509 certificate which was used to create the signature. For an example showing plain wss4j configuration for x.509 token profile configuration, look at this post.
I also found that if I set the securementSignatureKeyIdentifier to DirectReference on my Wss4jSecurityInterceptor bean I do get a wsse:BinarySecurityToken security header in the produced soap message. Here is my client config:
I'm confused. I thought this was already working as of 1.5, at least on the client side. This is my config - pretty much the same as pdotsenko's - and it's working great for me. I'm getting a BinarySecurityToken and everything.
barsimp47 - thanks for the post. I agree that x.509 token profile is indeed supported by spring-ws using wss4j since 1.5, it just wasn't obvious to me (and at least a few others) earlier. It is working for me as well.
Arjen, perhaps the JIRA task you created could be repurposed to request a short reference doc section like "Certificate Authentication" for Wss4jSecurityInterceptor, I think it would help other users.