org.apache.cxf.ws.security.wss4j
Class AbstractUsernameTokenAuthenticatingInterceptor

java.lang.Object
  org.apache.ws.security.handler.WSHandler
      org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor
          org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
              org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor

All Implemented Interfaces:

org.apache.cxf.binding.soap.interceptor.SoapInterceptor, org.apache.cxf.interceptor.Interceptor<org.apache.cxf.binding.soap.SoapMessage>, org.apache.cxf.phase.PhaseInterceptor<org.apache.cxf.binding.soap.SoapMessage>

public abstract class AbstractUsernameTokenAuthenticatingInterceptor
extends WSS4JInInterceptor

Base class providing an extensibility point for populating javax.security.auth.Subject from a current UsernameToken. WSS4J requires a password for validating digests which may not be available when external security systems provide for the authentication. This class implements WSS4J Processor interface so that it can delegate a UsernameToken validation to an external system. In order to handle digests, this class currently creates a new WSS4J Security Engine for every request. If clear text passwords are expected then a supportDigestPasswords boolean property with a false value can be used to disable creating security engines. Note that if a UsernameToken containing a clear text password has been encrypted then an application is expected to provide a password callback handler for decrypting the token only.

Nested Class Summary

protected class

AbstractUsernameTokenAuthenticatingInterceptor.CustomValidator

Field Summary

Fields inherited from class org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

PRINCIPAL_RESULT, PROCESSOR_MAP, SECURITY_PROCESSED, SIGNATURE_RESULT, TIMESTAMP_RESULT, VALIDATOR_MAP

Fields inherited from class org.apache.ws.security.handler.WSHandler

cryptos, secEngine

Constructor Summary

AbstractUsernameTokenAuthenticatingInterceptor()

AbstractUsernameTokenAuthenticatingInterceptor(Map<String,Object> properties)

Method Summary

protected org.apache.cxf.security.SecurityContext	createSecurityContext(Principal p)
protected abstract Subject	createSubject(String name, String password, boolean isDigest, String nonce, String created) Create a Subject representing a current user and its roles.
protected org.apache.cxf.security.SecurityContext	doCreateSecurityContext(Principal p, Subject subject) Creates default SecurityContext which implements isUserInRole using the following approach : skip the first Subject principal, and then check optional Groups the principal is a member of.
protected org.apache.ws.security.WSSecurityEngine	getSecurityEngine(boolean utNoCallbacks)
boolean	getSupportDigestPasswords()
void	handleMessage(org.apache.cxf.binding.soap.SoapMessage msg)
protected void	setSubject(String name, String password, boolean isDigest, String nonce, String created)
void	setSupportDigestPasswords(boolean support)

Methods inherited from class org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

advanceBody, computeAction, createSecurityEngine, doResults, doResults, getAdditionalInterceptors, getCallback, getCallback, getProperty, isGET, isSecurityContextPrincipal, setIgnoreActions

Methods inherited from class org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor

getAfter, getBefore, getId, getOption, getPassword, getPhase, getProperties, getRoles, getUnderstoodHeaders, handleFault, isRequestor, loadCryptoFromPropertiesFile, postHandleMessage, setAfter, setBefore, setId, setPassword, setPhase, setProperties, setProperty, setProperty, translateProperties

Methods inherited from class org.apache.ws.security.handler.WSHandler

checkReceiverResults, checkReceiverResultsAnyOrder, checkSignatureConfirmation, decodeBooleanConfigValue, decodeBSPCompliance, decodeCustomPasswordTypes, decodeDecryptionParameter, decodeEnableSignatureConfirmation, decodeEncryptionParameter, decodeFutureTimeToLive, decodeMustUnderstand, decodeNamespaceQualifiedPasswordTypes, decodePasswordType, decodePasswordTypeStrict, decodeSignatureParameter, decodeSignatureParameter2, decodeTimestampPrecision, decodeTimestampStrict, decodeTimeToLive, decodeUseEncodedPasswords, decodeUseSingleCertificate, decodeUTParameter, doReceiverAction, doSenderAction, getCallbackHandler, getClassLoader, getPasswordCallbackHandler, getPasswordCB, getString, getStringOption, loadCrypto, loadDecryptionCrypto, loadEncryptionCrypto, loadSignatureCrypto

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AbstractUsernameTokenAuthenticatingInterceptor

public AbstractUsernameTokenAuthenticatingInterceptor()

AbstractUsernameTokenAuthenticatingInterceptor

public AbstractUsernameTokenAuthenticatingInterceptor(Map<String,Object> properties)

Method Detail

setSupportDigestPasswords

public void setSupportDigestPasswords(boolean support)

getSupportDigestPasswords

public boolean getSupportDigestPasswords()

handleMessage

public void handleMessage(org.apache.cxf.binding.soap.SoapMessage msg)
                   throws org.apache.cxf.interceptor.Fault

Specified by:

handleMessage in interface org.apache.cxf.interceptor.Interceptor<org.apache.cxf.binding.soap.SoapMessage>

Overrides:

handleMessage in class WSS4JInInterceptor

Throws:

org.apache.cxf.interceptor.Fault

createSecurityContext

protected org.apache.cxf.security.SecurityContext createSecurityContext(Principal p)

Overrides:

createSecurityContext in class WSS4JInInterceptor

doCreateSecurityContext

protected org.apache.cxf.security.SecurityContext doCreateSecurityContext(Principal p,
                                                                          Subject subject)

Creates default SecurityContext which implements isUserInRole using the following approach : skip the first Subject principal, and then check optional Groups the principal is a member of. Subclasses can override this method and implement a custom strategy instead

Parameters:

p - principal

subject - subject

Returns:

security context

setSubject

protected void setSubject(String name,
                          String password,
                          boolean isDigest,
                          String nonce,
                          String created)
                   throws org.apache.ws.security.WSSecurityException

Throws:

org.apache.ws.security.WSSecurityException

createSubject

protected abstract Subject createSubject(String name,
                                         String password,
                                         boolean isDigest,
                                         String nonce,
                                         String created)
                                  throws SecurityException

Create a Subject representing a current user and its roles. This Subject is expected to contain at least one Principal representing a user and optionally followed by one or more principal Groups this user is a member of. It will also be available in doCreateSecurityContext.

Parameters:

name - username

password - password

isDigest - true if a password digest is used

nonce - optional nonce

created - optional timestamp

Returns:

subject

Throws:

SecurityException

getSecurityEngine

protected org.apache.ws.security.WSSecurityEngine getSecurityEngine(boolean utNoCallbacks)

Overrides:

getSecurityEngine in class WSS4JInInterceptor

Returns:

the WSSecurityEngine in use by this interceptor. This engine is defined to be the secEngineOverride instance, if defined in this class (and supplied through construction); otherwise, it is taken to be the default WSSecEngine instance (currently defined in the WSHandler base class).