WSS4J SOAP Signature validation without truststore

Question

I need to validate a signed SOAP message, extract the certificate and authenticate the certificate against a LDAP directory, which makes a trust store unnecessary. I have being using the WSS4J for a while now, but always with a local trust store. Taking a look on the official documentation and googling around, I couldn't find any reference to a scenario similar to mine. I was wondering if it would be possible to keep using the WSS4J in that case.

Answer 1

Yes you can use WSS4J for this use-case. WSS4J uses the SignatureTrustValidator by default to validate trust in signing certificates:

https://github.com/apache/ws-wss4j/blob/master/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java

You can plug your own implementation in there instead via:

https://github.com/apache/ws-wss4j/blob/66ab5fdbeeda0e0cbd6e317272dadd4417f6be91/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java#L863

If you are using CXF with WSS4J, there is a custom configuration constant that you can set that points to the Validator implementation for Signatures.

Answer 2

I faced the same problem and solved it in this way:

@EnableWs
@Configuration
public class WsConfiguration extends WsConfigurerAdapter {

@Bean
public Wss4jSecurityInterceptor securityInterceptor() throws Exception {
    Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();

    securityInterceptor.setValidationActions("Signature");
    WSSConfig wssConfig = WSSConfig.getNewInstance();
    wssConfig.setValidator(new QName("http://www.w3.org/2000/09/xmldsig#", "Signature"), MySignatureTrustValidator.class);
    securityInterceptor.setWssConfig(wssConfig);

    //the rest of configuration
}

Note, that MySignatureTrustValidator must implement Validator