I have proxy service (type Active-Intermediary) using standard sign.xml policy.
I store client certificates in Certificate Registry.
Signature validation works OK, but I need an additional check if CN from certificate matches with message sender.
In Active-Intermediary proxy service I don't see WS-security headers, because it has option "Process WS-Security Header" enabled and consumes these headers.
The first idea is to make additional proxy service (type Pass-Through) and parse X509 certificate from SecurityToken using Java Callout.
Is it right way ? Or can I do it better way?