Use signature validator of WSSConfig if available

Closes gh-953

Author: snicoll

spring-ws-security/build.gradle

@@ -35,6 +35,7 @@ dependencies {
 	testImplementation("org.assertj:assertj-core")
 	testImplementation("org.easymock:easymock")
 	testImplementation("org.junit.jupiter:junit-jupiter")
+	testImplementation("org.mockito:mockito-core")
 	testImplementation("org.springframework:spring-test")
 }
 

spring-ws-security/src/main/java/org/springframework/ws/soap/security/wss4j2/Wss4jSecurityInterceptor.java

@@ -45,6 +45,7 @@
 import org.apache.wss4j.dom.validate.Credential;
 import org.apache.wss4j.dom.validate.SignatureTrustValidator;
 import org.apache.wss4j.dom.validate.TimestampValidator;
+import org.apache.wss4j.dom.validate.Validator;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
@@ -906,7 +907,10 @@ protected void verifyCertificateTrust(WSHandlerResult result) throws WSSecurityE
 			requestData.setSigVerCrypto(this.validationSignatureCrypto);
 			requestData.setEnableRevocation(this.enableRevocation);
 
-			SignatureTrustValidator validator = new SignatureTrustValidator();
+			Validator validator = (this.wssConfig != null) ? this.wssConfig.getValidator(WSConstants.SIGNATURE) : null;
+			if (validator == null) {
+				validator = new SignatureTrustValidator();
+			}
 			validator.validate(credential, requestData);
 		}
 	}

spring-ws-security/src/test/java/org/springframework/ws/soap/security/wss4j2/Wss4jMessageInterceptorX509Test.java

@@ -17,6 +17,9 @@
 package org.springframework.ws.soap.security.wss4j2;
 
 import org.apache.wss4j.common.crypto.Merlin;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.engine.WSSConfig;
+import org.apache.wss4j.dom.validate.Validator;
 import org.junit.jupiter.api.Test;
 import org.w3c.dom.Document;
 
@@ -25,6 +28,11 @@
 import org.springframework.ws.soap.SoapMessage;
 import org.springframework.ws.soap.security.wss4j2.support.CryptoFactoryBean;
 
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+
 public abstract class Wss4jMessageInterceptorX509Test extends Wss4jTest {
 
 	protected Wss4jSecurityInterceptor interceptor;
@@ -67,4 +75,25 @@ public void testAddCertificate() throws Exception {
 		this.interceptor.validateMessage(message, messageContext);
 	}
 
+	@Test
+	void validateSignatureWithWssConfig() throws Exception {
+		this.interceptor.setSecurementPassword("123456");
+		this.interceptor.setSecurementUsername("rsaKey");
+		SoapMessage message = loadSoap11Message("empty-soap.xml");
+		MessageContext messageContext = getSoap11MessageContext(message);
+
+		this.interceptor.setSecurementSignatureKeyIdentifier("DirectReference");
+
+		this.interceptor.secureMessage(message, messageContext);
+		Document document = getDocument(message);
+		assertXpathExists("Absent BinarySecurityToken element",
+				"/SOAP-ENV:Envelope/SOAP-ENV:Header/wsse:Security/wsse:BinarySecurityToken", document);
+		WSSConfig wssConfig = WSSConfig.getNewInstance();
+		Validator validator = mock(Validator.class);
+		wssConfig.setValidator(WSConstants.SIGNATURE, validator);
+		this.interceptor.setWssConfig(wssConfig);
+		this.interceptor.validateMessage(message, messageContext);
+		verify(validator, times(2)).validate(any(), any()); // Also SignatureProcessor
+	}
+
 }