org.apache.cxf.ws.security.wss4j
Class AbstractUsernameTokenAuthenticatingInterceptor
java.lang.Object
org.apache.ws.security.handler.WSHandler
org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor
- All Implemented Interfaces:
- SoapInterceptor, Interceptor<SoapMessage>, PhaseInterceptor<SoapMessage>, org.apache.ws.security.processor.Processor
public abstract class AbstractUsernameTokenAuthenticatingInterceptor
- extends WSS4JInInterceptor
- implements org.apache.ws.security.processor.Processor
Base class providing an extensibility point for populating
javax.security.auth.Subject from a current UsernameToken.
WSS4J requires a password for validating digests which may not be available
when external security systems provide for the authentication. This class
implements WSS4J Processor interface so that it can delegate a UsernameToken
validation to an external system.
In order to handle digests, this class currently creates a new WSS4J Security Engine for
every request. If clear text passwords are expected then a supportDigestPasswords boolean
property with a false value can be used to disable creating security engines.
Note that if a UsernameToken containing a clear text password has been encrypted then
an application is expected to provide a password callback handler for decrypting the token only.
| Fields inherited from class org.apache.ws.security.handler.WSHandler |
cryptos, DONE, secEngine |
|
Method Summary |
protected SecurityContext |
createSecurityContext(Principal p)
|
protected abstract Subject |
createSubject(String name,
String password,
boolean isDigest,
String nonce,
String created)
Create a Subject representing a current user and its roles. |
protected SecurityContext |
doCreateSecurityContext(Principal p,
Subject subject)
Creates default SecurityContext which implements isUserInRole using the
following approach : skip the first Subject principal, and then check optional
Groups the principal is a member of. |
protected CallbackHandler |
getCallback(org.apache.ws.security.handler.RequestData reqData,
int doAction)
|
protected org.apache.ws.security.WSSecurityEngine |
getSecurityEngine()
|
boolean |
getSupportDigestPasswords()
|
void |
handleToken(Element elem,
org.apache.ws.security.components.crypto.Crypto crypto,
org.apache.ws.security.components.crypto.Crypto decCrypto,
CallbackHandler cb,
org.apache.ws.security.WSDocInfo wsDocInfo,
Vector returnResults,
org.apache.ws.security.WSSConfig config)
|
protected void |
setSubject(String name,
String password,
boolean isDigest,
String nonce,
String created)
|
void |
setSupportDigestPasswords(boolean support)
|
| Methods inherited from class org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor |
decodeEnableSignatureConfirmation, getAfter, getBefore, getId, getOption, getPassword, getPhase, getProperties, getRoles, getUnderstoodHeaders, handleFault, isRequestor, loadCryptoFromPropertiesFile, loadDecryptionCrypto, loadEncryptionCrypto, loadSignatureCrypto, postHandleMessage, setAfter, setBefore, setId, setPassword, setPhase, setProperties, setProperty, setProperty |
| Methods inherited from class org.apache.ws.security.handler.WSHandler |
checkReceiverResults, checkReceiverResultsAnyOrder, checkSignatureConfirmation, decodeCustomPasswordTypes, decodeDecryptionParameter, decodeEncryptionParameter, decodeMustUnderstand, decodeNamespaceQualifiedPasswordTypes, decodeSignatureParameter, decodeSignatureParameter2, decodeTimestampPrecision, decodeTimestampStrict, decodeTimeToLive, decodeUseEncodedPasswords, decodeUseSingleCertificate, decodeUTParameter, doReceiverAction, doSenderAction, getClassLoader, getPassword, getPasswordCB, getString, getStringOption, verifyTimestamp, verifyTrust, verifyTrust |
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Methods inherited from interface org.apache.ws.security.processor.Processor |
getId |
AbstractUsernameTokenAuthenticatingInterceptor
public AbstractUsernameTokenAuthenticatingInterceptor()
AbstractUsernameTokenAuthenticatingInterceptor
public AbstractUsernameTokenAuthenticatingInterceptor(Map<String,Object> properties)
setSupportDigestPasswords
public void setSupportDigestPasswords(boolean support)
getSupportDigestPasswords
public boolean getSupportDigestPasswords()
createSecurityContext
protected SecurityContext createSecurityContext(Principal p)
- Overrides:
createSecurityContext in class WSS4JInInterceptor
doCreateSecurityContext
protected SecurityContext doCreateSecurityContext(Principal p,
Subject subject)
- Creates default SecurityContext which implements isUserInRole using the
following approach : skip the first Subject principal, and then check optional
Groups the principal is a member of. Subclasses can override this method and implement
a custom strategy instead
- Parameters:
p - principalsubject - subject
- Returns:
- security context
setSubject
protected void setSubject(String name,
String password,
boolean isDigest,
String nonce,
String created)
throws org.apache.ws.security.WSSecurityException
- Throws:
org.apache.ws.security.WSSecurityException
createSubject
protected abstract Subject createSubject(String name,
String password,
boolean isDigest,
String nonce,
String created)
throws SecurityException
- Create a Subject representing a current user and its roles.
This Subject is expected to contain at least one Principal representing a user
and optionally followed by one or more principal Groups this user is a member of.
It will also be available in doCreateSecurityContext.
- Parameters:
name - usernamepassword - passwordisDigest - true if a password digest is usednonce - optional noncecreated - optional timestamp
- Returns:
- subject
- Throws:
SecurityException
getCallback
protected CallbackHandler getCallback(org.apache.ws.security.handler.RequestData reqData,
int doAction)
throws org.apache.ws.security.WSSecurityException
-
- Overrides:
getCallback in class WSS4JInInterceptor
- Throws:
org.apache.ws.security.WSSecurityException
getSecurityEngine
protected org.apache.ws.security.WSSecurityEngine getSecurityEngine()
- Overrides:
getSecurityEngine in class WSS4JInInterceptor
- Returns:
- the WSSecurityEngine in use by this interceptor.
This engine is defined to be the secEngineOverride
instance, if defined in this class (and supplied through
construction); otherwise, it is taken to be the default
WSSecEngine instance (currently defined in the WSHandler
base class).
TODO the WSHandler base class defines secEngine to be static, which
is really bad, because the engine has mutable state on it.
handleToken
public void handleToken(Element elem,
org.apache.ws.security.components.crypto.Crypto crypto,
org.apache.ws.security.components.crypto.Crypto decCrypto,
CallbackHandler cb,
org.apache.ws.security.WSDocInfo wsDocInfo,
Vector returnResults,
org.apache.ws.security.WSSConfig config)
throws org.apache.ws.security.WSSecurityException
- Specified by:
handleToken in interface org.apache.ws.security.processor.Processor
- Throws:
org.apache.ws.security.WSSecurityException
Apache CXF