> Please see > http://cwiki.apache.org/SM/discussion-forums.html#nabble-td20857457
In your WSS4JInInterceptor config, you don't need the "passwordCallbackClass" property, as to verify a signature you only need the public key and hence no password. > "Does server really uses the key from > signaturePropFile to verify the signature on incoming message? What's the > role of BinarySecurityToken in incoming message then?" The BinarySecurityToken contains the X509 certificate which corresponds to the key that was used to sign the message. This is all that's needed to verify the signature on the inbound side. The problem the message consumer is faced with then is, ok I have a valid signature, but is the "signee" who he/she says they are? The keystore referenced in the signaturePropFile on the server side should contain the public key of the client, or preferably the certificate of the CA that issued the client cert, and this is used to verify trust on the signature. Colm. -----Original Message----- From: Lukasz L. [mailto:[email protected]] Sent: 12 December 2008 16:08 To: [email protected] Subject: Signature question Hi, Maybe I should have asked this question here as it concerns WSS4J. Please see http://cwiki.apache.org/SM/discussion-forums.html#nabble-td20857457 Especially the question "Does server really uses the key from signaturePropFile to verify the signature on incoming message? What's the role of BinarySecurityToken in incoming message then?" -- View this message in context: http://www.nabble.com/Signature-question-tp20978463p20978463.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
