The SignatureTrustValidator does the actual trust verification on the received certificate/public-key. Yes a message part must be signed to verify client ownership of the corresponding private key.
Colm. On Tue, Feb 7, 2012 at 1:53 PM, sram <[email protected]> wrote: > Will the mere presence of client X.509 under supporting tokens validate > client authentication. I thought SignatureTrustValidator will validate the > received token against trust store for assertion. Not true? Should a > message part be signed to verify client auth? > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/SecurityPolicy-Option-tp5456290p5463176.html > Sent from the cxf-user mailing list archive at Nabble.com. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
