The Wss4jSecurityInterceptor does not support setting a separate password for the signature. Currently, when configuring the interceptor with both UsernameToken and signature, it uses the same password for both (Wss4jSecurityInterceptor#setSecurementPassword), making it impossible to specify different passwords for the UsernameToken and the signature.
This limitation makes it difficult to implement security setups that require different credentials for username authentication and digital signatures.
Current workaround I found is to extend the Wss4jSecurityInterceptor and override the request data initialization by specifying the password callback handler.
However, it seems logical to add a dedicated setSecurementSignaturePassword() method, as it is already possible to specify a separate user for the certificate alias - setSecurementSignatureUser.
The
Wss4jSecurityInterceptordoes not support setting a separate password for the signature. Currently, when configuring the interceptor with both UsernameToken and signature, it uses the same password for both (Wss4jSecurityInterceptor#setSecurementPassword), making it impossible to specify different passwords for the UsernameToken and the signature.This limitation makes it difficult to implement security setups that require different credentials for username authentication and digital signatures.
Current workaround I found is to extend the
Wss4jSecurityInterceptorand override the request data initialization by specifying the password callback handler. However, it seems logical to add a dedicatedsetSecurementSignaturePassword()method, as it is already possible to specify a separate user for the certificate alias -setSecurementSignatureUser.