View Javadoc

1   /*
2    * Copyright 2005-2010 the original author or authors.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *      http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package org.springframework.ws.soap.security.x509;
18  
19  import java.security.cert.X509Certificate;
20  
21  import org.springframework.beans.factory.InitializingBean;
22  import org.springframework.context.MessageSource;
23  import org.springframework.context.MessageSourceAware;
24  import org.springframework.context.support.MessageSourceAccessor;
25  import org.springframework.security.authentication.AuthenticationProvider;
26  import org.springframework.security.authentication.BadCredentialsException;
27  import org.springframework.security.core.Authentication;
28  import org.springframework.security.core.AuthenticationException;
29  import org.springframework.security.core.SpringSecurityMessageSource;
30  import org.springframework.security.core.userdetails.UserDetails;
31  import org.springframework.util.Assert;
32  import org.springframework.ws.soap.security.x509.cache.NullX509UserCache;
33  import org.springframework.ws.soap.security.x509.cache.X509UserCache;
34  
35  import org.apache.commons.logging.Log;
36  import org.apache.commons.logging.LogFactory;
37  
38  
39  /**
40   * Processes an X.509 authentication request.
41   * <p>Migrated from Spring Security 2 since it has been removed in Spring Security 3.</p> 
42   *
43   * @author Luke Taylor
44   * @version $Id: X509AuthenticationProvider.java 3256 2008-08-18 18:20:48Z luke_t $
45   */
46  public class X509AuthenticationProvider implements AuthenticationProvider, InitializingBean, MessageSourceAware {
47      //~ Static fields/initializers =====================================================================================
48  
49      private static final Log logger = LogFactory.getLog(X509AuthenticationProvider.class);
50  
51      //~ Instance fields ================================================================================================
52  
53      protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
54      private X509AuthoritiesPopulator x509AuthoritiesPopulator;
55      private X509UserCache userCache = new NullX509UserCache();
56  
57      //~ Methods ========================================================================================================
58  
59      public void afterPropertiesSet() throws Exception {
60          Assert.notNull(userCache, "An x509UserCache must be set");
61          Assert.notNull(x509AuthoritiesPopulator, "An X509AuthoritiesPopulator must be set");
62          Assert.notNull(this.messages, "A message source must be set");
63      }
64  
65      /**
66       * If the supplied authentication token contains a certificate then this will be passed to the configured
67       * [email protected] X509AuthoritiesPopulator} to obtain the user details and authorities for the user identified by the
68       * certificate.<p>If no certificate is present (for example, if the filter is applied to an HttpRequest for
69       * which client authentication hasn't been configured in the container) then a BadCredentialsException will be
70       * raised.</p>
71       *
72       * @param authentication the authentication request.
73       *
74       * @return an X509AuthenticationToken containing the authorities of the principal represented by the certificate.
75       *
76       * @throws AuthenticationException if the [email protected] X509AuthoritiesPopulator} rejects the certficate.
77       * @throws BadCredentialsException if no certificate was presented in the authentication request.
78       */
79      public Authentication authenticate(Authentication authentication)
80          throws AuthenticationException {
81          if (!supports(authentication.getClass())) {
82              return null;
83          }
84  
85          if (logger.isDebugEnabled()) {
86              logger.debug("X509 authentication request: " + authentication);
87          }
88  
89          X509Certificate clientCertificate = (X509Certificate) authentication.getCredentials();
90  
91          if (clientCertificate == null) {
92              throw new BadCredentialsException(messages.getMessage("X509AuthenticationProvider.certificateNull",
93                      "Certificate is null"));
94          }
95  
96          UserDetails user = userCache.getUserFromCache(clientCertificate);
97  
98          if (user == null) {
99              if (logger.isDebugEnabled()) {
100                 logger.debug("Authenticating with certificate " + clientCertificate);
101             }
102             user = x509AuthoritiesPopulator.getUserDetails(clientCertificate);
103             userCache.putUserInCache(clientCertificate, user);
104         }
105 
106         X509AuthenticationToken result = new X509AuthenticationToken(user, clientCertificate, user.getAuthorities());
107 
108         result.setDetails(authentication.getDetails());
109 
110         return result;
111     }
112 
113     public void setMessageSource(MessageSource messageSource) {
114         this.messages = new MessageSourceAccessor(messageSource);
115     }
116 
117     public void setX509AuthoritiesPopulator(X509AuthoritiesPopulator x509AuthoritiesPopulator) {
118         this.x509AuthoritiesPopulator = x509AuthoritiesPopulator;
119     }
120 
121     public void setX509UserCache(X509UserCache cache) {
122         this.userCache = cache;
123     }
124 
125     public boolean supports(Class authentication) {
126         return X509AuthenticationToken.class.isAssignableFrom(authentication);
127     }
128 }