org.apache.cxf.ws.security.wss4j
Class AbstractUsernameTokenAuthenticatingInterceptor
java.lang.Object
org.apache.ws.security.handler.WSHandler
org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor
- All Implemented Interfaces:
- SoapInterceptor, Interceptor<SoapMessage>, PhaseInterceptor<SoapMessage>
public abstract class AbstractUsernameTokenAuthenticatingInterceptor
- extends WSS4JInInterceptor
Base class providing an extensibility point for populating
javax.security.auth.Subject from a current UsernameToken.
WSS4J requires a password for validating digests which may not be available
when external security systems provide for the authentication. This class
implements WSS4J Processor interface so that it can delegate a UsernameToken
validation to an external system.
In order to handle digests, this class currently creates a new WSS4J Security Engine for
every request. If clear text passwords are expected then a supportDigestPasswords boolean
property with a false value can be used to disable creating security engines.
Note that if a UsernameToken containing a clear text password has been encrypted then
an application is expected to provide a password callback handler for decrypting the token only.
| Fields inherited from class org.apache.ws.security.handler.WSHandler |
cryptos, DONE, secEngine |
|
Method Summary |
protected SecurityContext |
createSecurityContext(Principal p)
|
protected abstract Subject |
createSubject(String name,
String password,
boolean isDigest,
String nonce,
String created)
Create a Subject representing a current user and its roles. |
protected SecurityContext |
doCreateSecurityContext(Principal p,
Subject subject)
Creates default SecurityContext which implements isUserInRole using the
following approach : skip the first Subject principal, and then check optional
Groups the principal is a member of. |
protected CallbackHandler |
getCallback(org.apache.ws.security.handler.RequestData reqData,
int doAction,
boolean utNoCallbacks)
|
protected org.apache.ws.security.WSSecurityEngine |
getSecurityEngine(boolean utNoCallbacks)
|
boolean |
getSupportDigestPasswords()
|
void |
handleMessage(SoapMessage msg)
Intercepts a message. |
protected void |
setSubject(String name,
String password,
boolean isDigest,
String nonce,
String created)
|
void |
setSupportDigestPasswords(boolean support)
|
| Methods inherited from class org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor |
decodeEnableSignatureConfirmation, getAfter, getBefore, getId, getOption, getPassword, getPhase, getProperties, getRoles, getUnderstoodHeaders, handleFault, isRequestor, loadCryptoFromPropertiesFile, loadDecryptionCrypto, loadEncryptionCrypto, loadSignatureCrypto, postHandleMessage, setAfter, setBefore, setId, setPassword, setPhase, setProperties, setProperty, setProperty |
| Methods inherited from class org.apache.ws.security.handler.WSHandler |
checkReceiverResults, checkReceiverResultsAnyOrder, checkSignatureConfirmation, decodeCustomPasswordTypes, decodeDecryptionParameter, decodeEncryptionParameter, decodeMustUnderstand, decodeNamespaceQualifiedPasswordTypes, decodeSignatureParameter, decodeSignatureParameter2, decodeTimestampPrecision, decodeTimestampStrict, decodeTimeToLive, decodeUseEncodedPasswords, decodeUseSingleCertificate, decodeUTParameter, doReceiverAction, doSenderAction, getClassLoader, getPassword, getPasswordCB, getString, getStringOption, verifyTimestamp, verifyTimestamp, verifyTrust, verifyTrust |
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
AbstractUsernameTokenAuthenticatingInterceptor
public AbstractUsernameTokenAuthenticatingInterceptor()
AbstractUsernameTokenAuthenticatingInterceptor
public AbstractUsernameTokenAuthenticatingInterceptor(Map<String,Object> properties)
setSupportDigestPasswords
public void setSupportDigestPasswords(boolean support)
getSupportDigestPasswords
public boolean getSupportDigestPasswords()
handleMessage
public void handleMessage(SoapMessage msg)
throws Fault
- Description copied from interface:
Interceptor
- Intercepts a message.
Interceptors should NOT invoke handleMessage or handleFault
on the next interceptor - the interceptor chain will
take care of this.
- Specified by:
handleMessage in interface Interceptor<SoapMessage>- Overrides:
handleMessage in class WSS4JInInterceptor
- Throws:
Fault
createSecurityContext
protected SecurityContext createSecurityContext(Principal p)
- Overrides:
createSecurityContext in class WSS4JInInterceptor
doCreateSecurityContext
protected SecurityContext doCreateSecurityContext(Principal p,
Subject subject)
- Creates default SecurityContext which implements isUserInRole using the
following approach : skip the first Subject principal, and then check optional
Groups the principal is a member of. Subclasses can override this method and implement
a custom strategy instead
- Parameters:
p - principalsubject - subject
- Returns:
- security context
setSubject
protected void setSubject(String name,
String password,
boolean isDigest,
String nonce,
String created)
throws org.apache.ws.security.WSSecurityException
- Throws:
org.apache.ws.security.WSSecurityException
createSubject
protected abstract Subject createSubject(String name,
String password,
boolean isDigest,
String nonce,
String created)
throws SecurityException
- Create a Subject representing a current user and its roles.
This Subject is expected to contain at least one Principal representing a user
and optionally followed by one or more principal Groups this user is a member of.
It will also be available in doCreateSecurityContext.
- Parameters:
name - usernamepassword - passwordisDigest - true if a password digest is usednonce - optional noncecreated - optional timestamp
- Returns:
- subject
- Throws:
SecurityException
getCallback
protected CallbackHandler getCallback(org.apache.ws.security.handler.RequestData reqData,
int doAction,
boolean utNoCallbacks)
throws org.apache.ws.security.WSSecurityException
-
- Overrides:
getCallback in class WSS4JInInterceptor
- Throws:
org.apache.ws.security.WSSecurityException
getSecurityEngine
protected org.apache.ws.security.WSSecurityEngine getSecurityEngine(boolean utNoCallbacks)
- Overrides:
getSecurityEngine in class WSS4JInInterceptor
- Returns:
- the WSSecurityEngine in use by this interceptor.
This engine is defined to be the secEngineOverride
instance, if defined in this class (and supplied through
construction); otherwise, it is taken to be the default
WSSecEngine instance (currently defined in the WSHandler
base class).
TODO the WSHandler base class defines secEngine to be static, which
is really bad, because the engine has mutable state on it.
Apache CXF