I need to validate a signed SOAP message, extract the certificate and authenticate the certificate against a LDAP directory, which makes a trust store unnecessary. I have being using the WSS4J for a while now, but always with a local trust store. Taking a look on the official documentation and googling around, I couldn't find any reference to a scenario similar to mine. I was wondering if it would be possible to keep using the WSS4J in that case.
Yes you can use WSS4J for this use-case. WSS4J uses the SignatureTrustValidator by default to validate trust in signing certificates:
You can plug your own implementation in there instead via:
If you are using CXF with WSS4J, there is a custom configuration constant that you can set that points to the Validator implementation for Signatures.