/** {@inheritDoc} */ public boolean verifySoapMessage(SOAPMessage msg, CredentialInfo credentialInfo) throws JAXRException { try { SecurableSoapMessage secureMsg = null; credentialInfo.cert = null; // manually parse incoming message, looking for certificates ReceivedCertificate certInfo = new ReceivedCertificate(msg); if (null == certInfo || null == certInfo.getCertificate()) { // SOAP message had no <wss:Security/> header or // appropriate <wss:BinarySecurityToken/> return false; } // don't mess with credentialInfo parameter 'till after verification CredentialInfo tempCredentialInfo = new CredentialInfo(); tempCredentialInfo.cert = certInfo.getCertificate(); SecurityCallbackHandler cbHandler = new SecurityCallbackHandler(tempCredentialInfo); SecurityEnvironment se = new DefaultSecurityEnvironmentImpl(cbHandler); // Creates a default security environment using a SecurityCallbackHandler if (msg instanceof SecurableSoapMessage) { secureMsg = (SecurableSoapMessage) msg; } else { // Wrap the SOAPMessage with a SecurableSoapMessage secureMsg = new SecurableSoapMessage(msg); } // Verify that message has a SecurityHeader SecurityHeader secHeader = secureMsg.findSecurityHeader(); if (secHeader == null) { // SOAP message had no wss:SecurityHeader return false; } // There is a security header so verify message // Create XWSProcessor XWSSProcessorFactory factory = XWSSProcessorFactory.newInstance(); XWSSProcessor processor = factory.createForSecurityConfiguration( getVerificationSecurityConfiguration(msg, credentialInfo), cbHandler); ProcessingContext context = new ProcessingContext(); context.setSecurityEnvironment(se); context.setSOAPMessage(secureMsg); processor.verifyInboundMessage(context); credentialInfo.cert = certInfo.getCertificate(); } catch (Exception e) { if (ignoreSignatureVerificationErrors) { if (logSignatureVerificationErrors) { log.error( CommonResourceBundle.getInstance().getString("message.verifySoapMessageFailed"), e); } return false; } else { throw new JAXRException( CommonResourceBundle.getInstance().getString("message.verifySoapMessageFailed"), e); } } return true; }