org.apache.cxf.ws.security.wss4j

Class WSS4JInInterceptor

java.lang.Object

org.apache.wss4j.dom.handler.WSHandler

org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor

org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor

All Implemented Interfaces:

org.apache.cxf.binding.soap.interceptor.SoapInterceptor, org.apache.cxf.interceptor.Interceptor<org.apache.cxf.binding.soap.SoapMessage>, org.apache.cxf.phase.PhaseInterceptor<org.apache.cxf.binding.soap.SoapMessage>

Direct Known Subclasses:

AbstractUsernameTokenAuthenticatingInterceptor, PolicyBasedWSS4JInInterceptor

public class WSS4JInInterceptor
extends AbstractWSS4JInterceptor

Performs WS-Security inbound actions.

Field Summary

Fields

Modifier and Type	Field and Description
static String	PROCESSOR_MAP
static String	SAML_ROLE_ATTRIBUTENAME_DEFAULT This configuration tag specifies the default attribute name where the roles are present The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".
static String	SECURITY_PROCESSED
static String	VALIDATOR_MAP

Fields inherited from class org.apache.wss4j.dom.handler.WSHandler

cryptos

Constructor Summary

Constructors

Constructor and Description
WSS4JInInterceptor()
WSS4JInInterceptor(boolean ignore)
WSS4JInInterceptor(Map<String,Object> properties)

Method Summary

Modifier and Type	Method and Description
protected void	advanceBody(org.apache.cxf.binding.soap.SoapMessage msg, Node body)
protected void	checkActions(org.apache.cxf.binding.soap.SoapMessage msg, List<org.apache.wss4j.dom.engine.WSSecurityEngineResult> wsResult, List<Integer> actions)
protected void	computeAction(org.apache.cxf.binding.soap.SoapMessage msg, org.apache.wss4j.dom.handler.RequestData reqData) Do whatever is necessary to determine the action for the incoming message and do whatever other setup work is necessary.
protected void	configureReplayCaches(org.apache.wss4j.dom.handler.RequestData reqData, List<Integer> actions, org.apache.cxf.binding.soap.SoapMessage msg)
protected void	doResults(org.apache.cxf.binding.soap.SoapMessage msg, String actor, Element soapHeader, Element soapBody, org.apache.wss4j.dom.handler.WSHandlerResult wsResult, boolean utWithCallbacks)
protected CallbackHandler	getCallback(org.apache.wss4j.dom.handler.RequestData reqData)
protected CallbackHandler	getCallback(org.apache.wss4j.dom.handler.RequestData reqData, boolean utWithCallbacks)
Object	getProperty(Object msgContext, String key)
protected org.apache.wss4j.common.cache.ReplayCache	getReplayCache(org.apache.cxf.binding.soap.SoapMessage message, String booleanKey, String instanceKey) Get a ReplayCache instance.
protected org.apache.wss4j.dom.engine.WSSecurityEngine	getSecurityEngine(boolean utWithCallbacks)
void	handleMessage(org.apache.cxf.binding.soap.SoapMessage msg)
boolean	isGET(org.apache.cxf.binding.soap.SoapMessage message)
protected boolean	isNonceCacheRequired(List<Integer> actions, org.apache.cxf.binding.soap.SoapMessage msg) Is a Nonce Cache required, i.e.
protected boolean	isSamlCacheRequired(List<Integer> actions, org.apache.cxf.binding.soap.SoapMessage msg) Is a SAML Cache required, i.e.
protected boolean	isTimestampCacheRequired(List<Integer> actions, org.apache.cxf.binding.soap.SoapMessage msg) Is a Timestamp cache required, i.e.
protected void	setAlgorithmSuites(org.apache.cxf.binding.soap.SoapMessage message, org.apache.wss4j.dom.handler.RequestData data) Set a WSS4J AlgorithmSuite object on the RequestData context, to restrict the algorithms that are allowed for encryption, signature, etc.
void	setIgnoreActions(boolean i) Setting this value to true means that WSS4J does not compare the "actions" that were processed against the list of actions that were configured.

Methods inherited from class org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor

getAdditionalInterceptors, getAfter, getBefore, getId, getOption, getPassword, getPhase, getProperties, getRoles, getUnderstoodHeaders, handleFault, isRequestor, loadCryptoFromPropertiesFile, postHandleMessage, setId, setPassword, setPhase, setProperties, setProperty, setProperty, translateProperties

Methods inherited from class org.apache.wss4j.dom.handler.WSHandler

checkReceiverResults, checkReceiverResultsAnyOrder, checkSignatureConfirmation, decodeAlgorithmSuite, decodeBooleanConfigValue, decodeDecryptionParameter, decodeEncryptionParameter, decodeFutureTimeToLive, decodePasswordType, decodeSignatureParameter, decodeSignatureParameter2, decodeTimeToLive, decodeUTParameter, doReceiverAction, doSenderAction, getCallbackHandler, getClassLoader, getPasswordCallbackHandler, getPasswordCB, getPasswordEncryptor, getString, getStringOption, loadCrypto, loadDecryptionCrypto, loadEncryptionCrypto, loadSignatureCrypto, loadSignatureVerificationCrypto

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SAML_ROLE_ATTRIBUTENAME_DEFAULT

public static final String SAML_ROLE_ATTRIBUTENAME_DEFAULT

This configuration tag specifies the default attribute name where the roles are present The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".

See Also:

Constant Field Values

PROCESSOR_MAP

public static final String PROCESSOR_MAP

See Also:

Constant Field Values

VALIDATOR_MAP

public static final String VALIDATOR_MAP

See Also:

Constant Field Values

SECURITY_PROCESSED

public static final String SECURITY_PROCESSED

Constructor Detail

WSS4JInInterceptor

public WSS4JInInterceptor()

WSS4JInInterceptor

public WSS4JInInterceptor(boolean ignore)

WSS4JInInterceptor

public WSS4JInInterceptor(Map<String,Object> properties)

Method Detail

setIgnoreActions

public void setIgnoreActions(boolean i)

Setting this value to true means that WSS4J does not compare the "actions" that were processed against the list of actions that were configured. It also means that CXF/WSS4J does not throw an error if no actions were specified. Setting this to true could be a potential security risk, as there is then no guarantee that the message contains the desired security token.

getProperty

public Object getProperty(Object msgContext,
                          String key)

Overrides:

getProperty in class AbstractWSS4JInterceptor

isGET

public final boolean isGET(org.apache.cxf.binding.soap.SoapMessage message)

handleMessage

public void handleMessage(org.apache.cxf.binding.soap.SoapMessage msg)
                   throws org.apache.cxf.interceptor.Fault

Throws:

org.apache.cxf.interceptor.Fault

checkActions

protected void checkActions(org.apache.cxf.binding.soap.SoapMessage msg,
                            List<org.apache.wss4j.dom.engine.WSSecurityEngineResult> wsResult,
                            List<Integer> actions)
                     throws org.apache.wss4j.common.ext.WSSecurityException

Throws:

org.apache.wss4j.common.ext.WSSecurityException

computeAction

protected void computeAction(org.apache.cxf.binding.soap.SoapMessage msg,
                             org.apache.wss4j.dom.handler.RequestData reqData)
                      throws org.apache.wss4j.common.ext.WSSecurityException

Do whatever is necessary to determine the action for the incoming message and do whatever other setup work is necessary.

Parameters:

msg -

reqData -

Throws:

org.apache.wss4j.common.ext.WSSecurityException

configureReplayCaches

protected void configureReplayCaches(org.apache.wss4j.dom.handler.RequestData reqData,
                                     List<Integer> actions,
                                     org.apache.cxf.binding.soap.SoapMessage msg)
                              throws org.apache.wss4j.common.ext.WSSecurityException

Throws:

org.apache.wss4j.common.ext.WSSecurityException

isNonceCacheRequired

protected boolean isNonceCacheRequired(List<Integer> actions,
                                       org.apache.cxf.binding.soap.SoapMessage msg)

Is a Nonce Cache required, i.e. are we expecting a UsernameToken

isTimestampCacheRequired

protected boolean isTimestampCacheRequired(List<Integer> actions,
                                           org.apache.cxf.binding.soap.SoapMessage msg)

Is a Timestamp cache required, i.e. are we expecting a Timestamp

isSamlCacheRequired

protected boolean isSamlCacheRequired(List<Integer> actions,
                                      org.apache.cxf.binding.soap.SoapMessage msg)

Is a SAML Cache required, i.e. are we expecting a SAML Token

setAlgorithmSuites

protected void setAlgorithmSuites(org.apache.cxf.binding.soap.SoapMessage message,
                                  org.apache.wss4j.dom.handler.RequestData data)
                           throws org.apache.wss4j.common.ext.WSSecurityException

Set a WSS4J AlgorithmSuite object on the RequestData context, to restrict the algorithms that are allowed for encryption, signature, etc.

Throws:

org.apache.wss4j.common.ext.WSSecurityException

doResults

protected void doResults(org.apache.cxf.binding.soap.SoapMessage msg,
                         String actor,
                         Element soapHeader,
                         Element soapBody,
                         org.apache.wss4j.dom.handler.WSHandlerResult wsResult,
                         boolean utWithCallbacks)
                  throws SOAPException,
                         XMLStreamException,
                         org.apache.wss4j.common.ext.WSSecurityException

Throws:

SOAPException

XMLStreamException

org.apache.wss4j.common.ext.WSSecurityException

advanceBody

protected void advanceBody(org.apache.cxf.binding.soap.SoapMessage msg,
                           Node body)
                    throws SOAPException,
                           XMLStreamException,
                           org.apache.wss4j.common.ext.WSSecurityException

Throws:

SOAPException

XMLStreamException

org.apache.wss4j.common.ext.WSSecurityException

getCallback

protected CallbackHandler getCallback(org.apache.wss4j.dom.handler.RequestData reqData,
                                      boolean utWithCallbacks)
                               throws org.apache.wss4j.common.ext.WSSecurityException

Throws:

org.apache.wss4j.common.ext.WSSecurityException

getCallback

protected CallbackHandler getCallback(org.apache.wss4j.dom.handler.RequestData reqData)
                               throws org.apache.wss4j.common.ext.WSSecurityException,
                                      TokenStoreException

Throws:

org.apache.wss4j.common.ext.WSSecurityException

TokenStoreException

getSecurityEngine

protected org.apache.wss4j.dom.engine.WSSecurityEngine getSecurityEngine(boolean utWithCallbacks)

Returns:

the WSSecurityEngine in use by this interceptor.

getReplayCache

protected org.apache.wss4j.common.cache.ReplayCache getReplayCache(org.apache.cxf.binding.soap.SoapMessage message,
                                                                   String booleanKey,
                                                                   String instanceKey)
                                                            throws org.apache.wss4j.common.ext.WSSecurityException

Get a ReplayCache instance. It first checks to see whether caching has been explicitly enabled or disabled via the booleanKey argument. If it has been set to false then no replay caching is done (for this booleanKey). If it has not been specified, then caching is enabled only if we are not the initiator of the exchange. If it has been specified, then caching is enabled. It tries to get an instance of ReplayCache via the instanceKey argument from a contextual property, and failing that the message exchange. If it can't find any, then it defaults to using an EH-Cache instance and stores that on the message exchange.

Throws:

org.apache.wss4j.common.ext.WSSecurityException