Hi Colm, thank you for the reply, So server checks the trust of the signature by comparing it with the key from the keystore doesn't it? That makes sense but I experienced something other: when I changed the keystore (for one containing wrong key) without changing the client side I still didn't received any error and the message went fine. Am I missing something in the configuration?
As for passwordCallbackClass I thought that in case of "Signature" action this class is used to obtain password to the entry in keystore for given alias (in signaturePropFile I have only password to the keystore itself). Isn't that true? Lukasz Colm O hEigeartaigh wrote: > > >> Please see >> http://cwiki.apache.org/SM/discussion-forums.html#nabble-td20857457 > > In your WSS4JInInterceptor config, you don't need the > "passwordCallbackClass" property, as to verify a signature you only need > the public key and hence no password. > >> "Does server really uses the key from >> signaturePropFile to verify the signature on incoming message? What's > the >> role of BinarySecurityToken in incoming message then?" > > The BinarySecurityToken contains the X509 certificate which corresponds > to the key that was used to sign the message. This is all that's needed > to verify the signature on the inbound side. The problem the message > consumer is faced with then is, ok I have a valid signature, but is the > "signee" who he/she says they are? The keystore referenced in the > signaturePropFile on the server side should contain the public key of > the client, or preferably the certificate of the CA that issued the > client cert, and this is used to verify trust on the signature. > > Colm. > > > -- View this message in context: http://www.nabble.com/Signature-question-tp20978463p20981225.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
