Richard, that's correct. WSS4J does not perform the certificate verification. The WSS4J Axis handlers have some code that perform a basic certificate path verification. This was done because certificate path verification is sometime not necessary for basic security (encryption). WSS4J returns the certificate used for signature verification to the calling application (WSSecurityEngine does this).
Regards, Werner [EMAIL PROTECTED] wrote: > I've searched quite a bit but have found nothing on how to get WSS4J to > verify the root X509 certificate. Can anyone tell me how or point me to > an example? > > I am using WSS4J programatically (not under Axis) to sign and verify > SOAP messages. Using the WSSecSignature and WSSecurityEngine classes I > have gotten thing things working well except that the root certificate > is not verified. I have been using a self-signed cert for testing and > passing the cert in the BinarySecurityToken. Any certificate seems to be > trusted, in fact I can even use an empty keystore on the server. > > Rick Hansen --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
