Support WSS4J subject cert constraints

spring-ws-security/src/main/java/org/springframework/ws/soap/security/wss4j2/Wss4jSecurityInterceptor.java

@@ -22,6 +22,7 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.regex.Pattern;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.UnsupportedCallbackException;
@@ -59,6 +60,9 @@
 import org.springframework.ws.soap.security.callback.CleanupCallback;
 import org.springframework.ws.soap.security.wss4j2.callback.UsernameTokenPrincipalCallback;
 
+import static java.util.Collections.emptyList;
+import static java.util.Collections.unmodifiableList;
+
 /**
  * A WS-Security endpoint interceptor based on Apache's WSS4J. This interceptor supports messages created by the {@link
  * org.springframework.ws.soap.axiom.AxiomSoapMessageFactory} and the {@link org.springframework.ws.soap.saaj.SaajSoapMessageFactory}.
@@ -184,7 +188,21 @@ public void setSecurementActor(String securementActor) {
 	public void setSecurementEncryptionCrypto(Crypto securementEncryptionCrypto) {
 		handler.setSecurementEncryptionCrypto(securementEncryptionCrypto);
 	}
-
+
+	/**
+	 * Certificate constraints which will be applied to the subject DN of the certificate used for
+	 * signature validation, after trust verification of the certificate chain associated with the
+	 * certificate.
+	 *
+	 * @param patterns A comma separated String of regular expressions which will be applied to
+	 *                 the subject DN.
+	 *
+	 * @see <a href="https://ws.apache.org/wss4j/config.html">WSS4J configuration: SIG_SUBJECT_CERT_CONSTRAINTS</a>
+	 */
+	public void setSignatureValidationSubjectCertificateConstraints(String patterns) {
+	    handler.setOption(ConfigurationConstants.SIG_SUBJECT_CERT_CONSTRAINTS, patterns);
+	}
+
 	/**
 	 * Defines which key identifier type to use. The WS-Security specifications recommends to use the identifier type
 	 * {@code IssuerSerial}. For possible encryption key identifier types refer to {@link
@@ -646,7 +664,8 @@ protected RequestData initializeValidationRequestData(MessageContext messageCont
 		// allow for qualified password types for .Net interoperability
 		requestData.setAllowNamespaceQualifiedPasswordTypes(true);
 
-
+		requestData.setSubjectCertConstraints(getSubjectCertConstraints());
+
 		return requestData;
 	}
 
@@ -754,12 +773,27 @@ protected void verifyCertificateTrust(WSHandlerResult result) throws WSSecurityE
 			RequestData requestData = new RequestData();
 			requestData.setSigVerCrypto(validationSignatureCrypto);
 			requestData.setEnableRevocation(enableRevocation);
+			requestData.setSubjectCertConstraints(getSubjectCertConstraints());
 
 			SignatureTrustValidator validator = new SignatureTrustValidator();
 			validator.validate(credential, requestData);
 		}
 	}
 
+	private List<Pattern> getSubjectCertConstraints() {
+		String commaSeparatedCertConstraintPatterns = handler.getStringOption(ConfigurationConstants.SIG_SUBJECT_CERT_CONSTRAINTS);
+		if (commaSeparatedCertConstraintPatterns != null && !commaSeparatedCertConstraintPatterns.isEmpty()) {
+			String[] patternStrings = commaSeparatedCertConstraintPatterns.split(",");
+			List<Pattern> constraintPatterns = new ArrayList<>();
+			for (String pattern : patternStrings) {
+				constraintPatterns.add(Pattern.compile(pattern));
+			}
+			return unmodifiableList(constraintPatterns);
+		} else {
+			return emptyList();
+		}
+	}
+
 	/** Verifies the timestamp.
 	 * @param result*/
 	protected void verifyTimestamp(WSHandlerResult result) throws WSSecurityException {