Apache CXF API

org.apache.cxf.ws.security.wss4j
Class AbstractUsernameTokenAuthenticatingInterceptor

java.lang.Object
  extended by org.apache.wss4j.dom.handler.WSHandler
      extended by org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor
          extended by org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
              extended by org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor
All Implemented Interfaces:
SoapInterceptor, Interceptor<SoapMessage>, PhaseInterceptor<SoapMessage>

public abstract class AbstractUsernameTokenAuthenticatingInterceptor
extends WSS4JInInterceptor

Base class providing an extensibility point for populating javax.security.auth.Subject from a current UsernameToken. WSS4J requires a password for validating digests which may not be available when external security systems provide for the authentication. This class implements WSS4J Processor interface so that it can delegate a UsernameToken validation to an external system. In order to handle digests, this class currently creates a new WSS4J Security Engine for every request. If clear text passwords are expected then a supportDigestPasswords boolean property with a false value can be used to disable creating security engines. Note that if a UsernameToken containing a clear text password has been encrypted then an application is expected to provide a password callback handler for decrypting the token only.


Nested Class Summary
protected  class AbstractUsernameTokenAuthenticatingInterceptor.CustomValidator
           
 
Field Summary
 
Fields inherited from class org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
PRINCIPAL_RESULT, PROCESSOR_MAP, SAML_ROLE_ATTRIBUTENAME_DEFAULT, SECURITY_PROCESSED, SIGNATURE_RESULT, TIMESTAMP_RESULT, VALIDATOR_MAP
 
Fields inherited from class org.apache.wss4j.dom.handler.WSHandler
cryptos, secEngine
 
Constructor Summary
AbstractUsernameTokenAuthenticatingInterceptor()
           
AbstractUsernameTokenAuthenticatingInterceptor(Map<String,Object> properties)
           
 
Method Summary
protected  SecurityContext createSecurityContext(Principal p)
           
protected abstract  Subject createSubject(String name, String password, boolean isDigest, String nonce, String created)
          Create a Subject representing a current user and its roles.
protected  SecurityContext doCreateSecurityContext(Principal p, Subject subject)
          Creates default SecurityContext which implements isUserInRole using the following approach : skip the first Subject principal, and then check optional Groups the principal is a member of.
protected  org.apache.wss4j.dom.WSSecurityEngine getSecurityEngine(boolean utNoCallbacks)
           
 boolean getSupportDigestPasswords()
           
 void handleMessage(SoapMessage msg)
          Intercepts a message.
protected  void setSubject(String name, String password, boolean isDigest, String nonce, String created)
           
 void setSupportDigestPasswords(boolean support)
           
 
Methods inherited from class org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
advanceBody, computeAction, configureReplayCaches, createSecurityEngine, doResults, doResults, getCallback, getCallback, getProperty, getReplayCache, isGET, isNonceCacheRequired, isSamlCacheRequired, isSecurityContextPrincipal, isTimestampCacheRequired, setAlgorithmSuites, setIgnoreActions
 
Methods inherited from class org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor
getAdditionalInterceptors, getAfter, getBefore, getId, getOption, getPassword, getPhase, getProperties, getRoles, getUnderstoodHeaders, handleFault, isRequestor, loadCryptoFromPropertiesFile, postHandleMessage, setAfter, setBefore, setId, setPassword, setPhase, setProperties, setProperty, setProperty, translateProperties
 
Methods inherited from class org.apache.wss4j.dom.handler.WSHandler
checkReceiverResults, checkReceiverResultsAnyOrder, checkSignatureConfirmation, decodeAddInclusivePrefixes, decodeAlgorithmSuite, decodeAllowUsernameTokenNoPassword, decodeBooleanConfigValue, decodeBSPCompliance, decodeCustomPasswordTypes, decodeDecryptionParameter, decodeEnableSignatureConfirmation, decodeEncryptionParameter, decodeFutureTimeToLive, decodeIncludeEncryptionToken, decodeIncludeSignatureToken, decodeMustUnderstand, decodeNamespaceQualifiedPasswordTypes, decodePasswordType, decodeRequireSignedEncryptedDataElements, decodeSamlSubjectConfirmationValidation, decodeSignatureParameter, decodeSignatureParameter2, decodeTimestampPrecision, decodeTimestampStrict, decodeTimeToLive, decodeUse200512Namespace, decodeUseEncodedPasswords, decodeUseSingleCertificate, decodeUTParameter, doReceiverAction, doSenderAction, getCallbackHandler, getClassLoader, getPasswordCallbackHandler, getPasswordCB, getPasswordEncryptor, getString, getStringOption, loadCrypto, loadDecryptionCrypto, loadEncryptionCrypto, loadSignatureCrypto, loadSignatureVerificationCrypto
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

AbstractUsernameTokenAuthenticatingInterceptor

public AbstractUsernameTokenAuthenticatingInterceptor()

AbstractUsernameTokenAuthenticatingInterceptor

public AbstractUsernameTokenAuthenticatingInterceptor(Map<String,Object> properties)
Method Detail

setSupportDigestPasswords

public void setSupportDigestPasswords(boolean support)

getSupportDigestPasswords

public boolean getSupportDigestPasswords()

handleMessage

public void handleMessage(SoapMessage msg)
                   throws Fault
Description copied from interface: Interceptor
Intercepts a message. Interceptors should NOT invoke handleMessage or handleFault on the next interceptor - the interceptor chain will take care of this.

Specified by:
handleMessage in interface Interceptor<SoapMessage>
Overrides:
handleMessage in class WSS4JInInterceptor
Throws:
Fault

createSecurityContext

protected SecurityContext createSecurityContext(Principal p)
Overrides:
createSecurityContext in class WSS4JInInterceptor

doCreateSecurityContext

protected SecurityContext doCreateSecurityContext(Principal p,
                                                  Subject subject)
Creates default SecurityContext which implements isUserInRole using the following approach : skip the first Subject principal, and then check optional Groups the principal is a member of. Subclasses can override this method and implement a custom strategy instead

Parameters:
p - principal
subject - subject
Returns:
security context

setSubject

protected void setSubject(String name,
                          String password,
                          boolean isDigest,
                          String nonce,
                          String created)
                   throws org.apache.wss4j.common.ext.WSSecurityException
Throws:
org.apache.wss4j.common.ext.WSSecurityException

createSubject

protected abstract Subject createSubject(String name,
                                         String password,
                                         boolean isDigest,
                                         String nonce,
                                         String created)
                                  throws SecurityException
Create a Subject representing a current user and its roles. This Subject is expected to contain at least one Principal representing a user and optionally followed by one or more principal Groups this user is a member of. It will also be available in doCreateSecurityContext.

Parameters:
name - username
password - password
isDigest - true if a password digest is used
nonce - optional nonce
created - optional timestamp
Returns:
subject
Throws:
SecurityException

getSecurityEngine

protected org.apache.wss4j.dom.WSSecurityEngine getSecurityEngine(boolean utNoCallbacks)
Overrides:
getSecurityEngine in class WSS4JInInterceptor
Returns:
the WSSecurityEngine in use by this interceptor. This engine is defined to be the secEngineOverride instance, if defined in this class (and supplied through construction); otherwise, it is taken to be the default WSSecEngine instance (currently defined in the WSHandler base class).

Apache CXF API

Apache CXF