Hi Does anyone know if an alternative to Merlin already exists that allows configuring Apache WSS4J with in-memory KeyStores, KeyManager and TrustManager or similar? Perhaps something similar to what is exposed in CXF using the org.apache.cxf.configuration.jsse.TLSClientParameters class?
We experimenting with a common security library implementation on top of Apache CXF for a set of services with a common WS-Trust-like security model intended to be running in containers. It would be great if secrets could be fetched from a system like HashiCorps Vault or similar, however this seems to conflict with using static JKS keystores for the WSS4J configuration. Alternatively it would perhaps be an idea to implement a custom crypto provider? Are there any critical pitfalls to be aware of, if this the way to go? Kind regards Jesper Duelund Isaksen
