Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KeyStoreCallbackHandler should allow the configuration of PKIXBuilderParameters, specifically to enable revocation checking [SWS-853] #929

Closed
gregturn opened this issue Nov 25, 2013 · 1 comment
Assignees
Milestone

Comments

@gregturn
Copy link
Member

@gregturn gregturn commented Nov 25, 2013

Jürgen Failenschmid opened SWS-853 and commented

The Spring Web Services class org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler implements X509 certificate validation with method handleCertificateValidationCallback(), which in turn uses an instance of the inner class KeyStoreCertificateValidator. The validate() method of KeyStoreCertificateValidator creates an instance of java.security.cert.PKIXBuilderParameters. The current implementation (I checked up to version Spring WS 2.1.4) calls setRevocationEnabled(false), i.e. certificate revocation checking of the PKIX service provider is turned off.

The revocation checking feature of the callback handler bean needs to be configurable as a bean property. There are other aspects of PKIXBuilderParameters that control the behavior of the PKIX service provider with respect to certificate validation. Therefore, it seems to be appropriate to allow the application to supply a configured instance of PKIXBuilderParameters.

Work-around: class KeyStoreCallbackHandler uses final methods and private inner classes. Therefore the revocation checking behavior cannot be changed in a class extension. I had to copy the class and modify line 648 to pass the value of a bean property isRevocationEnabled instead of false.


Affects: 2.1 GA, 2.1.4

Reference URL: http://forum.spring.io/forum/spring-projects/web-services/726232-certificate-revocation-support-in-web-services-xwss-2-1

Referenced from: commits 6620b1a

@gregturn
Copy link
Member Author

@gregturn gregturn commented Feb 3, 2014

Arjen Poutsma commented

Fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants