Wss4jSecurityInterceptor does not support separate password for signature

[dmitriizagurskii]

The Wss4jSecurityInterceptor does not support setting a separate password for the signature. Currently, when configuring the interceptor with both UsernameToken and signature, it uses the same password for both (Wss4jSecurityInterceptor#setSecurementPassword), making it impossible to specify different passwords for the UsernameToken and the signature.

This limitation makes it difficult to implement security setups that require different credentials for username authentication and digital signatures.

Current workaround I found is to extend the Wss4jSecurityInterceptor and override the request data initialization by specifying the password callback handler.
However, it seems logical to add a dedicated setSecurementSignaturePassword() method, as it is already possible to specify a separate user for the certificate alias - setSecurementSignatureUser.

[snicoll]

It's not the same thing though, from a Wss4jSecurityInterceptor perspective. setSecurementSignatureUser is merely setting the option in the RequestHandler when the password handling is involved by Spring-WS using Wss4jHandler.

I guess we could keep adding methods but I wonder if we shouldn't clean this up. We've recently introduced a way to set any arbitrary options and I wonder if that couldn't be further refined for cases like this.

Can you share a small sample that shows this in action?

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[spring-projects-issues]

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.