SY is missing support for "two-way-SSL", i. e. the client certificate from transport layer is used for authentication in the application layer.
The following code analysis, shows where this should be done (but is not):
In org.switchyard.component.soap.InboundHandler.invoke(), the SecurityContext is filled. First, ThreadLocal CREDENTIALS is read (which
is always empty since it is not filled by CXF), and then, org.switchyard.component.soap.composer.SOAPBindingData.extractCredentials() is called, which collects credentials in three different paths:
This one looks out for a Assertion/BinarySecurityToken in the message.
This one extracts a possible user principal from CXF's SecurityContext which itself got it out of the HttpServletRequest.
This one does exactly the same by calling HttpServletRequest.getUserPincipal() directly. Moreover, it checks the authorization header. What it does not is check the certificate chain.
So, in order for this to work, to org.switchyard.security.credential.extractor.ServletRequestCredentialExtractor.extract must be added: