answered your question on Metro Forum.
regards.
CE wrote:
>Hi all!
>
>We are using Glassfish to serve a secure Webservice to WCF Clients. The
>Service is secured by Mutual Certificate Authentication + Secure
>Conversation. Everythink worked fine (with Metro Release 1.1 from December
>19, 2007) until we had to upgrade the metro webservice stack to the new
>version (metro release 1.2 from May 2, 2008) due to a Class-Cast-Bug which
>prevented the secured transmission of Exceptions.
>
>With the new version it seems that somehow the validation of the client
>certificate is bypassed, because we can connect with any X509Certificate, no
>matter if it's present in the server truststore (cacerts.jks) or not.
>
>If i connect with a certificate, which has an invalid expiration date, an
>exception is thrown. It looks like, that some validation routines are
>called, but the validation of the certificate trust path is bypassed.
>
>Or am I missing some new configuration options?
>
>I have attached our wsit xml configuration ....
>
>Thanks in advance
>Chris
>
>http://www.nabble.com/file/p17401112/wsit-onkonet.server.wslayer.praxisservice.PraxisWS.xml
>wsit-onkonet.server.wslayer.praxisservice.PraxisWS.xml
>
>