Package org.apache.cxf.ws.security.wss4j

Class AbstractUsernameTokenAuthenticatingInterceptor

java.lang.Object

org.apache.wss4j.dom.handler.WSHandler

org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor

org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor

All Implemented Interfaces:

org.apache.cxf.binding.soap.interceptor.SoapInterceptor, org.apache.cxf.interceptor.Interceptor<org.apache.cxf.binding.soap.SoapMessage>, org.apache.cxf.phase.PhaseInterceptor<org.apache.cxf.binding.soap.SoapMessage>

public abstract class AbstractUsernameTokenAuthenticatingInterceptor
extends WSS4JInInterceptor

Base class providing an extensibility point for populating javax.security.auth.Subject from a current UsernameToken. WSS4J requires a password for validating digests which may not be available when external security systems provide for the authentication. This class implements WSS4J Processor interface so that it can delegate a UsernameToken validation to an external system. In order to handle digests, this class currently creates a new WSS4J Security Engine for every request. If clear text passwords are expected then a supportDigestPasswords boolean property with a false value can be used to disable creating security engines. Note that if a UsernameToken containing a clear text password has been encrypted then an application is expected to provide a password callback handler for decrypting the token only.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
protected class	AbstractUsernameTokenAuthenticatingInterceptor.CustomValidator

Field Summary

Fields inherited from class org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

PROCESSOR_MAP, SAML_ROLE_ATTRIBUTENAME_DEFAULT, SECURITY_PROCESSED, VALIDATOR_MAP

Fields inherited from class org.apache.wss4j.dom.handler.WSHandler

cryptos

Constructor Summary

Constructors

Constructor	Description
AbstractUsernameTokenAuthenticatingInterceptor()
AbstractUsernameTokenAuthenticatingInterceptor(Map<String,Object> properties)

Method Summary

Modifier and Type	Method	Description
protected abstract Subject	createSubject(String name, String password, boolean isDigest, String nonce, String created)	Create a Subject representing a current user and its roles.
protected org.apache.cxf.security.SecurityContext	doCreateSecurityContext(Principal p, Subject subject)	Creates default SecurityContext which implements isUserInRole using the following approach : skip the first Subject principal, and then check optional Groups the principal is a member of.
protected void	doResults(org.apache.cxf.binding.soap.SoapMessage msg, String actor, Element soapHeader, Element soapBody, org.apache.wss4j.dom.handler.WSHandlerResult wsResult, boolean utWithCallbacks)
protected org.apache.wss4j.dom.engine.WSSecurityEngine	getSecurityEngine(boolean utNoCallbacks)
boolean	getSupportDigestPasswords()
void	handleMessage(org.apache.cxf.binding.soap.SoapMessage msg)
protected void	setSubject(String name, String password, boolean isDigest, String nonce, String created)
void	setSupportDigestPasswords(boolean support)

Methods inherited from class org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

advanceBody, checkActions, computeAction, configureReplayCaches, getCallback, getCallback, getProperty, getReplayCache, isGET, isNonceCacheRequired, isSamlCacheRequired, isTimestampCacheRequired, setAlgorithmSuites, setIgnoreActions

Methods inherited from class org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor

getAdditionalInterceptors, getAfter, getBefore, getId, getOption, getPassword, getPhase, getProperties, getRoles, getUnderstoodHeaders, handleFault, isRequestor, loadCryptoFromPropertiesFile, postHandleMessage, setId, setPassword, setPhase, setProperties, setProperty, setProperty, translateProperties

Methods inherited from class org.apache.wss4j.dom.handler.WSHandler

checkReceiverResults, checkReceiverResultsAnyOrder, checkSignatureConfirmation, decodeAlgorithmSuite, decodeBooleanConfigValue, decodeDecryptionParameter, decodeEncryptionParameter, decodeFutureTimeToLive, decodePasswordType, decodeSignatureParameter, decodeSignatureParameter2, decodeTimeToLive, decodeUTParameter, doReceiverAction, doSenderAction, getCallbackHandler, getClassLoader, getPasswordCallbackHandler, getPasswordCB, getPasswordEncryptor, getString, getStringOption, loadCrypto, loadDecryptionCrypto, loadEncryptionCrypto, loadSignatureCrypto, loadSignatureVerificationCrypto

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

AbstractUsernameTokenAuthenticatingInterceptor

public AbstractUsernameTokenAuthenticatingInterceptor()

AbstractUsernameTokenAuthenticatingInterceptor

public AbstractUsernameTokenAuthenticatingInterceptor(Map<String,Object> properties)

Method Details

setSupportDigestPasswords

public void setSupportDigestPasswords(boolean support)

getSupportDigestPasswords

public boolean getSupportDigestPasswords()

handleMessage

public void handleMessage(org.apache.cxf.binding.soap.SoapMessage msg)
                   throws org.apache.cxf.interceptor.Fault

Specified by:

handleMessage in interface org.apache.cxf.interceptor.Interceptor<org.apache.cxf.binding.soap.SoapMessage>

Overrides:

handleMessage in class WSS4JInInterceptor

Throws:

org.apache.cxf.interceptor.Fault

doResults

protected void doResults(org.apache.cxf.binding.soap.SoapMessage msg,
 String actor,
 Element soapHeader,
 Element soapBody,
 org.apache.wss4j.dom.handler.WSHandlerResult wsResult,
 boolean utWithCallbacks)
                  throws jakarta.xml.soap.SOAPException,
XMLStreamException,
org.apache.wss4j.common.ext.WSSecurityException

Overrides:

doResults in class WSS4JInInterceptor

Throws:

jakarta.xml.soap.SOAPException

XMLStreamException

org.apache.wss4j.common.ext.WSSecurityException

doCreateSecurityContext

protected org.apache.cxf.security.SecurityContext doCreateSecurityContext(Principal p,
 Subject subject)

Creates default SecurityContext which implements isUserInRole using the following approach : skip the first Subject principal, and then check optional Groups the principal is a member of. Subclasses can override this method and implement a custom strategy instead

Parameters:

p - principal

subject - subject

Returns:

security context

setSubject

protected void setSubject(String name,
 String password,
 boolean isDigest,
 String nonce,
 String created)
                   throws org.apache.wss4j.common.ext.WSSecurityException

Throws:

org.apache.wss4j.common.ext.WSSecurityException

createSubject

protected abstract Subject createSubject(String name,
 String password,
 boolean isDigest,
 String nonce,
 String created)
                                  throws SecurityException

Create a Subject representing a current user and its roles. This Subject is expected to contain at least one Principal representing a user and optionally followed by one or more principal Groups this user is a member of. It will also be available in doCreateSecurityContext.

Parameters:

name - username

password - password

isDigest - true if a password digest is used

nonce - optional nonce

created - optional timestamp

Returns:

subject

Throws:

SecurityException

getSecurityEngine

protected org.apache.wss4j.dom.engine.WSSecurityEngine getSecurityEngine(boolean utNoCallbacks)

Overrides:

getSecurityEngine in class WSS4JInInterceptor

Returns:

the WSSecurityEngine in use by this interceptor.