If an X.509 certificate is used to sign an incoming message, the following connection variables will be available to the SOAP processing function and accounting hook:

wss-token-owner owner of certificate, an example is "C=US/ST=MA/CN=User Name".
wss-token-issuer issued by , it's like above , but it's name of who is issued the certificate.
wss-token-serial serial number, an integer specific to certificate issuer.
wss-token-start valid from, a string containing a data of validity.
wss-token-end valid to, a string containing data of end of validity.

These can be accessed by invoking connection_get([name-of-info]) when processing the SOAP request, i.e. in the procedure being invoked or from a user defined accounting hook.

A user defined procedure hook named DB.DBA.WS_SOAP_ACCOUNTING can be used for accounting purposes. If it exists it will be invoked after the connection information is set. This PL hook should return 0 when an error occurs or 1 upon success. Hence, a SOAP request may be rejected based on some custom condition.

The procedure prototype is :

create procedure DB.DBA.WS_SOAP_ACCOUNTING ()
  -- custom logic
  return 1; -- on success
  return 0; -- on failure

Note that the usage of this functionality is global to the Virtuoso server, To get similar functionality for each SOAP method, the developer will need to include account checking within the PL procedures that are exposed as SOAP methods.