hi forum,

i'm working with jbossws metro 3.1.0.GA on jboss 5.0.1.GA.

i've been able to get the glassfish example described https://jax-ws.dev.java.net/guide/Configuring_Security_Using_NetBeans_IDE.html working by modifying it according to the jbossws metro-specific configuration instructions described http://jbossws.jboss.org/mediawiki/index.php?title=Stack_Metro_User_Guide#WS-Security.

unlike the original https://jax-ws.dev.java.net/guide/Configuring_Security_Using_NetBeans_IDE.html (which uses a username token to authenticate), the http://jbossws.jboss.org/mediawiki/index.php?title=Stack_Metro_User_Guide#WS-Security uses a symmetric binding policy; meaning: the client creates a secret key, encrypts the secret key with the server's public key, the client sends the encrypted secret key in the soap request to the server; and the client and server sign and encrypt stuff back and forth using that encrypted secret (symmetric) key.

now that i got that working as a proof of concept, i need to configure wsit for mutual x509 cert authentication. once the service receives and authenticates the client's x509 cert, i want to be able to capture the client's cert (from javax.security.auth.Subject.getPrincipal() or something ) and extract the client's distinguished name - to do authorization based on the dn (using jbossxacml).

please, can anybody here recommend the simplest, easiest way to do that? can i get at the subject in a handler if i get a hold of the WebServiceContext? can anybody point me to a straightforward, easy to follow recipe somewhere, please?

thanks in advance for your help.