Hi Ashwin,
I took a look at WSS4JInInterceptor class and it seems that exception should
be thrown:
if (returnCert != null && !verifyTrust(returnCert, reqData))
{
LOG.warning("The certificate used for the signature is
not trusted");
throw new
WSSecurityException(WSSecurityException.FAILED_CHECK);
}
I did more tests and I found possible cause of confusion. It seems that some
configuration settings aren't reloaded after service assembly redeployment
but in addition the server needs to be restarted.
I did tests in which I was changing bob.properties file (changing keystore
file name) and redeploying the service assembly. After redeployment the
bahaviour wasn't changed e.g. when I changed from right keystore to the
wrong one the signature still was valid as if the old key was taken into
account.
When I stopped and started server without any further changes the bahaviour
was as I expected (that in above case I got signature validation exception).
It's a bit strange because all properties and keystore file are inside SU
and it should be reloaded after redeployment.
Ashwin Karpe wrote:
>
> Hi Lukasz,
>
> I believe this may be related to the interceptor code itself. The
> interceptor code will need to be suitably modified to perform the check.
> The default example interceptor code shipping in SMX is not strict. It
> does not throw an exception when the match is not made and allows the call
> to go ahead. It was not designed for direct commercial use. Please check
> out the Java code for the interceptor and modify accordingly. Examples of
> how to throw a security exception and appropriate codes should be
> available in the WS-Security spec.
>
> The match is made in the Java code associated with the interceptor.
>
>
--
View this message in context:
http://www.nabble.com/CXF-WSS-example-tp20857457p21014553.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
