public class Wss4jSecurityInterceptor extends AbstractWsSecurityInterceptor implements org.springframework.beans.factory.InitializingBean
AxiomSoapMessageFactory
and the SaajSoapMessageFactory
.
The validation and securement actions executed by this interceptor are configured via validationActions
and securementActions
properties, respectively. Actions should be passed as a space-separated strings.
Valid validation actions are:
Validation action Description UsernameToken
Validates username token Timestamp
Validates the timestamp Encrypt
Decrypts the message Signature
Validates the signature NoSecurity
No action performed
Securement actions are:
Securement action Description UsernameToken</td>
Adds a username token UsernameTokenSignature</td>
Adds a username token and a signature username token secret key Timestamp</td>
Adds a timestamp Encrypt</td>
Encrypts the response Signature</td>
Signs the response NoSecurity</td>
No action performed
The order of the actions that the client performed to secure the messages is significant and is enforced by the interceptor.
Modifier and Type | Field and Description |
---|---|
static String |
SECUREMENT_USER_PROPERTY_NAME |
logger, WS_SECURITY_NAME
Constructor and Description |
---|
Wss4jSecurityInterceptor() |
Modifier and Type | Method and Description |
---|---|
void |
afterPropertiesSet() |
protected void |
checkResults(List<org.apache.ws.security.WSSecurityEngineResult> results,
List<Integer> validationActions)
Checks whether the received headers match the configured validation actions.
|
protected void |
cleanUp() |
boolean |
getRemoveSecurityHeader() |
protected org.apache.ws.security.handler.RequestData |
initializeRequestData(MessageContext messageContext)
Creates and initializes a request data for the given message context.
|
protected void |
secureMessage(SoapMessage soapMessage,
MessageContext messageContext)
Abstract template method.
|
void |
setBspCompliant(boolean bspCompliant)
Set the WS-I Basic Security Profile compliance mode.
|
void |
setEnableRevocation(boolean enableRevocation)
Set whether to enable CRL checking or not when verifying trust in a certificate.
|
void |
setEnableSignatureConfirmation(boolean enableSignatureConfirmation)
Whether to enable signatureConfirmation or not.
|
void |
setFutureTimeToLive(int futureTimeToLive)
Sets the time in seconds in the future within which the Created time of an
incoming Timestamp is valid.
|
void |
setRemoveSecurityHeader(boolean removeSecurityHeader) |
void |
setSamlIssuer(org.apache.ws.security.saml.SAMLIssuer samlIssuer)
Sets the SAML issuer.
|
void |
setSamlProperties(String location)
Sets the location of the SAML properties file.
|
void |
setSecurementActions(String securementActions) |
void |
setSecurementActor(String securementActor)
The actor name of the
wsse:Security header. |
void |
setSecurementEncryptionCrypto(org.apache.ws.security.components.crypto.Crypto securementEncryptionCrypto) |
void |
setSecurementEncryptionEmbeddedKeyName(String securementEncryptionEmbeddedKeyName)
Sets the key name that needs to be sent for encryption.
|
void |
setSecurementEncryptionKeyIdentifier(String securementEncryptionKeyIdentifier)
Defines which key identifier type to use.
|
void |
setSecurementEncryptionKeyTransportAlgorithm(String securementEncryptionKeyTransportAlgorithm)
Defines which algorithm to use to encrypt the generated symmetric key.
|
void |
setSecurementEncryptionParts(String securementEncryptionParts)
Property to define which parts of the request shall be encrypted.
|
void |
setSecurementEncryptionSymAlgorithm(String securementEncryptionSymAlgorithm)
Defines which symmetric encryption algorithm to use.
|
void |
setSecurementEncryptionUser(String securementEncryptionUser)
The user's name for encryption.
|
void |
setSecurementMustUnderstand(boolean securementMustUnderstand)
Enables the
mustUnderstand attribute on WS-Security headers on outgoing messages. |
void |
setSecurementPassword(String securementPassword) |
void |
setSecurementPasswordType(String securementUsernameTokenPasswordType)
Specific parameter for UsernameToken action to define the encoding of the passowrd.
|
void |
setSecurementSignatureAlgorithm(String securementSignatureAlgorithm)
Defines which signature algorithm to use.
|
void |
setSecurementSignatureCrypto(org.apache.ws.security.components.crypto.Crypto securementSignatureCrypto) |
void |
setSecurementSignatureDigestAlgorithm(String digestAlgorithm)
Defines which signature digest algorithm to use.
|
void |
setSecurementSignatureKeyIdentifier(String securementSignatureKeyIdentifier)
Defines which key identifier type to use.
|
void |
setSecurementSignatureParts(String securementSignatureParts)
Property to define which parts of the request shall be signed.
|
void |
setSecurementSignatureUser(String securementSignatureUser)
The user's name for signature.
|
void |
setSecurementTimeToLive(int securementTimeToLive)
Sets the time to live on the outgoing message
|
void |
setSecurementUseDerivedKey(boolean securementUseDerivedKey)
Enables the derivation of keys as per the UsernameTokenProfile 1.1 spec.
|
void |
setSecurementUsername(String securementUsername)
Sets the username for securement username token or/and the alias of the private key for securement signature
|
void |
setSecurementUsernameTokenElements(String securementUsernameTokenElements)
Sets the additional elements in
UsernameToken s. |
void |
setTimestampPrecisionInMilliseconds(boolean timestampPrecisionInMilliseconds)
Sets if the generated timestamp header's precision is in milliseconds.
|
void |
setTimestampStrict(boolean timestampStrict)
Sets whether or not timestamp verification is done with the server-side time to live
|
void |
setValidationActions(String actions)
Sets the validation actions to be executed by the interceptor.
|
void |
setValidationActor(String validationActor) |
void |
setValidationCallbackHandler(CallbackHandler callbackHandler)
Sets the
WSPasswordCallback handler to use when validating messages. |
void |
setValidationCallbackHandlers(CallbackHandler[] callbackHandler)
Sets the
WSPasswordCallback handlers to use when validating messages. |
void |
setValidationDecryptionCrypto(org.apache.ws.security.components.crypto.Crypto decryptionCrypto)
Sets the Crypto to use to decrypt incoming messages
|
void |
setValidationSignatureCrypto(org.apache.ws.security.components.crypto.Crypto signatureCrypto)
Sets the Crypto to use to verify the signature of incoming messages
|
void |
setValidationTimeToLive(int validationTimeToLive)
Sets the server-side time to live
|
void |
setWssConfig(org.apache.ws.security.WSSConfig config)
Sets the web service specification settings.
|
protected void |
validateMessage(SoapMessage soapMessage,
MessageContext messageContext)
Abstract template method.
|
protected void |
verifyCertificateTrust(List<org.apache.ws.security.WSSecurityEngineResult> results)
Verifies the trust of a certificate.
|
protected void |
verifyTimestamp(List<org.apache.ws.security.WSSecurityEngineResult> results)
Verifies the timestamp.
|
afterCompletion, afterCompletion, handleFault, handleFault, handleFaultException, handleRequest, handleRequest, handleResponse, handleResponse, handleSecurementException, handleValidationException, setExceptionResolver, setSecureRequest, setSecureResponse, setSkipValidationIfNoHeaderPresent, setValidateRequest, setValidateResponse, understands
public static final String SECUREMENT_USER_PROPERTY_NAME
public void setSecurementActions(String securementActions)
public void setSecurementActor(String securementActor)
wsse:Security
header.
If this parameter is omitted, the actor name is not set.
The value of the actor or role has to match the receiver's setting or may contain standard values.
public void setSecurementEncryptionCrypto(org.apache.ws.security.components.crypto.Crypto securementEncryptionCrypto)
public void setSecurementEncryptionEmbeddedKeyName(String securementEncryptionEmbeddedKeyName)
public void setSecurementEncryptionKeyIdentifier(String securementEncryptionKeyIdentifier)
IssuerSerial
. For possible encryption key identifier types refer to WSHandlerConstants.keyIdentifier
. For encryption IssuerSerial
,
X509KeyIdentifier
, DirectReference
, Thumbprint
,
SKIKeyIdentifier
, and EmbeddedKeyName
are valid only.public void setSecurementEncryptionKeyTransportAlgorithm(String securementEncryptionKeyTransportAlgorithm)
WSConstants.KEYTRANSPORT_RSA15
and WSConstants.KEYTRANSPORT_RSAOEP
.public void setSecurementEncryptionParts(String securementEncryptionParts)
The value of this property is a list of semi-colon separated element names that identify the elements to encrypt. An encryption mode specifier and a namespace identification, each inside a pair of curly brackets, may precede each element name.
The encryption mode specifier is either } or }. Please refer to the W3C
XML Encryption specification about the differences between Element and Content encryption. The encryption mode
defaults to Content
if it is omitted. Example of a list:
<property name="securementEncryptionParts" value="{Content}{http://example.org/paymentv2}CreditCard; {Element}{}UserName" />The the first entry of the list identifies the element
CreditCard
in the namespace
http://example.org/paymentv2
, and will encrypt its content. Be aware that the element name, the
namespace identifier, and the encryption modifier are case sensitive.
The encryption modifier and the namespace identifier can be omitted. In this case the encryption mode defaults to
Content
and the namespace is set to the SOAP namespace.
An empty encryption mode defaults to Content
, an empty namespace identifier defaults to the SOAP
namespace. The second line of the example defines Element
as encryption mode for an
UserName
element in the SOAP namespace.
To specify an element without a namespace use the string Null
as the namespace name (this is a case
sensitive string)
If no list is specified, the handler encrypts the SOAP Body in Content
mode by default.
public void setSecurementEncryptionSymAlgorithm(String securementEncryptionSymAlgorithm)
WSConstants.TRIPLE_DES
, WSConstants.AES_128
, WSConstants.AES_256
, and WSConstants.AES_192
. Except for AES 192 all of these algorithms are required by the XML Encryption
specification.public void setSecurementEncryptionUser(String securementEncryptionUser)
The encryption functions uses the public key of this user's certificate to encrypt the generated symmetric key.
If this parameter is not set, then the encryption function falls back to the WSHandlerConstants.USER
parameter to get the certificate.
If only encryption of the SOAP body data is requested, it is recommended to use this parameter to define
the username. The application can then use the standard user and password functions (see example at WSHandlerConstants.USER
to enable HTTP authentication functions.
Encryption only does not authenticate a user / sender, therefore it does not need a password.
Placing the username of the encryption certificate in the configuration file is not a security risk, because the public key of that certificate is used only.
public void setSecurementPassword(String securementPassword)
public void setSecurementPasswordType(String securementUsernameTokenPasswordType)
The parameter can be set to either WSConstants.PW_DIGEST
or to WSConstants.PW_TEXT
.
The default setting is PW_DIGEST.
public void setSecurementSignatureAlgorithm(String securementSignatureAlgorithm)
WSConstants.RSA
,
WSConstants.DSA
public void setSecurementSignatureDigestAlgorithm(String digestAlgorithm)
public void setSecurementSignatureCrypto(org.apache.ws.security.components.crypto.Crypto securementSignatureCrypto)
public void setSecurementSignatureKeyIdentifier(String securementSignatureKeyIdentifier)
IssuerSerial
. For possible signature key identifier types refer to WSHandlerConstants.keyIdentifier
. For signature IssuerSerial
and
DirectReference
are valid only.public void setSecurementSignatureParts(String securementSignatureParts)
Refer to setSecurementEncryptionParts(String)
for a detailed description of the format of the value
string.
If this property is not specified the handler signs the SOAP Body by default.
The WS Security specifications define several formats to transfer the signature tokens (certificates) or
references to these tokens. Thus, the plain element name Token
signs the token and takes care of the
different formats.
To sign the SOAP body and the signature token the value of this parameter must contain:
<property name="securementSignatureParts" value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body; Token" />To specify an element without a namespace use the string
Null
as the namespace name (this is a case
sensitive string)
If there is no other element in the request with a local name of Body
then the SOAP namespace
identifier can be empty (}).
public void setSecurementSignatureUser(String securementSignatureUser)
This name is used as the alias name in the keystore to get user's certificate and private key to perform signing.
If this parameter is not set, then the signature
function falls back to the alias specified by setSecurementUsername(String)
.
public void setSecurementUsername(String securementUsername)
public void setSecurementTimeToLive(int securementTimeToLive)
public void setSecurementUseDerivedKey(boolean securementUseDerivedKey)
true
.public void setValidationTimeToLive(int validationTimeToLive)
public void setValidationActions(String actions)
public void setValidationActor(String validationActor)
public void setValidationCallbackHandler(CallbackHandler callbackHandler)
WSPasswordCallback
handler to use when validating messages.public void setValidationCallbackHandlers(CallbackHandler[] callbackHandler)
WSPasswordCallback
handlers to use when validating messages.public void setValidationDecryptionCrypto(org.apache.ws.security.components.crypto.Crypto decryptionCrypto)
public void setValidationSignatureCrypto(org.apache.ws.security.components.crypto.Crypto signatureCrypto)
public void setEnableSignatureConfirmation(boolean enableSignatureConfirmation)
public void setTimestampPrecisionInMilliseconds(boolean timestampPrecisionInMilliseconds)
public void setTimestampStrict(boolean timestampStrict)
public void setSecurementMustUnderstand(boolean securementMustUnderstand)
mustUnderstand
attribute on WS-Security headers on outgoing messages. Default is
true
.public void setSecurementUsernameTokenElements(String securementUsernameTokenElements)
UsernameToken
s.
The value of this parameter is a list of element names that are added to the UsernameToken. The names of the list a separated by spaces.
The list may contain the names Nonce
and Created
only (case sensitive). Use this option
if the password type is passwordText
and the handler shall add the Nonce
and/or
Created
elements.
public void setWssConfig(org.apache.ws.security.WSSConfig config)
The default settings follow the latest OASIS and changing anything might violate the OASIS specs.
config
- web service security configuration or null
to use default settingspublic void setEnableRevocation(boolean enableRevocation)
public void setBspCompliant(boolean bspCompliant)
true
.public void setSamlProperties(String location)
public void setFutureTimeToLive(int futureTimeToLive)
public void setSamlIssuer(org.apache.ws.security.saml.SAMLIssuer samlIssuer)
public boolean getRemoveSecurityHeader()
public void setRemoveSecurityHeader(boolean removeSecurityHeader)
public void afterPropertiesSet() throws Exception
afterPropertiesSet
in interface org.springframework.beans.factory.InitializingBean
Exception
protected void secureMessage(SoapMessage soapMessage, MessageContext messageContext) throws WsSecuritySecurementException
AbstractWsSecurityInterceptor
SoapMessage
, and replace the original response with the secured version.secureMessage
in class AbstractWsSecurityInterceptor
soapMessage
- the soap message to secureWsSecuritySecurementException
- in case of securement errorsprotected org.apache.ws.security.handler.RequestData initializeRequestData(MessageContext messageContext)
messageContext
- the message contextprotected void validateMessage(SoapMessage soapMessage, MessageContext messageContext) throws WsSecurityValidationException
AbstractWsSecurityInterceptor
SoapMessage
, and replace the original request with the validated version.validateMessage
in class AbstractWsSecurityInterceptor
soapMessage
- the soap message to validateWsSecurityValidationException
- in case of validation errorsprotected void checkResults(List<org.apache.ws.security.WSSecurityEngineResult> results, List<Integer> validationActions) throws Wss4jSecurityValidationException
results
- the results of the validation functionvalidationActions
- the decoded validation actionsWss4jSecurityValidationException
- if the results are deemed invalidprotected void verifyCertificateTrust(List<org.apache.ws.security.WSSecurityEngineResult> results) throws org.apache.ws.security.WSSecurityException
org.apache.ws.security.WSSecurityException
protected void verifyTimestamp(List<org.apache.ws.security.WSSecurityEngineResult> results) throws org.apache.ws.security.WSSecurityException
org.apache.ws.security.WSSecurityException
protected void cleanUp()
cleanUp
in class AbstractWsSecurityInterceptor