Wss4jSecurityInterceptor does not support separate password for signature

Question

Wss4jSecurityInterceptor does not support separate password for signature

dmitriizagurskii opened this issue 4 months ago · 0 comments

The Wss4jSecurityInterceptor does not support setting a separate password for the signature. Currently, when configuring the interceptor with both UsernameToken and signature, it uses the same password for both (Wss4jSecurityInterceptor#setSecurementPassword), making it impossible to specify different passwords for the UsernameToken and the signature.

This limitation makes it difficult to implement security setups that require different credentials for username authentication and digital signatures.

Current workaround I found is to extend the Wss4jSecurityInterceptor and override the request data initialization by specifying the password callback handler.
However, it seems logical to add a dedicated setSecurementSignaturePassword() method, as it is already possible to specify a separate user for the certificate alias - setSecurementSignatureUser.