org.springframework.ws.soap.security.wss4j

Class Wss4jSecurityInterceptor

java.lang.Object

org.springframework.ws.soap.security.AbstractWsSecurityInterceptor

org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor

All Implemented Interfaces:

org.springframework.beans.factory.InitializingBean, ClientInterceptor, EndpointInterceptor, SoapEndpointInterceptor

Deprecated.

Transition to Wss4jSecurityInterceptor

@Deprecated
public class Wss4jSecurityInterceptor
extends AbstractWsSecurityInterceptor
implements org.springframework.beans.factory.InitializingBean

A WS-Security endpoint interceptor based on Apache's WSS4J. This interceptor supports messages created by the AxiomSoapMessageFactory and the SaajSoapMessageFactory.

The validation and securement actions executed by this interceptor are configured via validationActions and securementActions properties, respectively. Actions should be passed as a space-separated strings.

Valid validation actions are:

Validation action	Description
UsernameToken	Validates username token
Timestamp	Validates the timestamp
Encrypt	Decrypts the message
Signature	Validates the signature
NoSecurity	No action performed

Securement actions are:

Securement action	Description
UsernameToken	Adds a username token
UsernameTokenSignature	Adds a username token and a signature username token secret key
Timestamp	Adds a timestamp
Encrypt	Encrypts the response
Signature	Signs the response
NoSecurity	No action performed

The order of the actions that the client performed to secure the messages is significant and is enforced by the interceptor.

Since:

1.5.0

Author:

Tareq Abed Rabbo, Arjen Poutsma, Greg Turnquist

See Also:

Apache WSS4J

Field Summary

Fields

Modifier and Type	Field and Description
static String	SECUREMENT_USER_PROPERTY_NAME Deprecated.

Fields inherited from class org.springframework.ws.soap.security.AbstractWsSecurityInterceptor

logger, WS_SECURITY_NAME

Constructor Summary

Constructors

Constructor and Description
Wss4jSecurityInterceptor() Deprecated.

Method Summary

Modifier and Type	Method and Description
void	afterPropertiesSet() Deprecated.
protected void	checkResults(List<org.apache.ws.security.WSSecurityEngineResult> results, List<Integer> validationActions) Deprecated. Checks whether the received headers match the configured validation actions.
protected void	cleanUp() Deprecated.
boolean	getRemoveSecurityHeader() Deprecated.
protected org.apache.ws.security.handler.RequestData	initializeRequestData(MessageContext messageContext) Deprecated. Creates and initializes a request data for the given message context.
protected void	secureMessage(SoapMessage soapMessage, MessageContext messageContext) Deprecated. Abstract template method.
void	setBspCompliant(boolean bspCompliant) Deprecated. Set the WS-I Basic Security Profile compliance mode.
void	setEnableRevocation(boolean enableRevocation) Deprecated. Set whether to enable CRL checking or not when verifying trust in a certificate.
void	setEnableSignatureConfirmation(boolean enableSignatureConfirmation) Deprecated. Whether to enable signatureConfirmation or not.
void	setFutureTimeToLive(int futureTimeToLive) Deprecated. Sets the time in seconds in the future within which the Created time of an incoming Timestamp is valid.
void	setRemoveSecurityHeader(boolean removeSecurityHeader) Deprecated.
void	setSamlIssuer(org.apache.ws.security.saml.SAMLIssuer samlIssuer) Deprecated. Sets the SAML issuer.
void	setSamlProperties(String location) Deprecated. Sets the location of the SAML properties file.
void	setSecurementActions(String securementActions) Deprecated.
void	setSecurementActor(String securementActor) Deprecated. The actor name of the wsse:Security header.
void	setSecurementEncryptionCrypto(org.apache.ws.security.components.crypto.Crypto securementEncryptionCrypto) Deprecated.
void	setSecurementEncryptionEmbeddedKeyName(String securementEncryptionEmbeddedKeyName) Deprecated. Sets the key name that needs to be sent for encryption.
void	setSecurementEncryptionKeyIdentifier(String securementEncryptionKeyIdentifier) Deprecated. Defines which key identifier type to use.
void	setSecurementEncryptionKeyTransportAlgorithm(String securementEncryptionKeyTransportAlgorithm) Deprecated. Defines which algorithm to use to encrypt the generated symmetric key.
void	setSecurementEncryptionParts(String securementEncryptionParts) Deprecated. Property to define which parts of the request shall be encrypted.
void	setSecurementEncryptionSymAlgorithm(String securementEncryptionSymAlgorithm) Deprecated. Defines which symmetric encryption algorithm to use.
void	setSecurementEncryptionUser(String securementEncryptionUser) Deprecated. The user's name for encryption.
void	setSecurementMustUnderstand(boolean securementMustUnderstand) Deprecated. Enables the mustUnderstand attribute on WS-Security headers on outgoing messages.
void	setSecurementPassword(String securementPassword) Deprecated.
void	setSecurementPasswordType(String securementUsernameTokenPasswordType) Deprecated. Specific parameter for UsernameToken action to define the encoding of the passowrd.
void	setSecurementSignatureAlgorithm(String securementSignatureAlgorithm) Deprecated. Defines which signature algorithm to use.
void	setSecurementSignatureCrypto(org.apache.ws.security.components.crypto.Crypto securementSignatureCrypto) Deprecated.
void	setSecurementSignatureDigestAlgorithm(String digestAlgorithm) Deprecated. Defines which signature digest algorithm to use.
void	setSecurementSignatureKeyIdentifier(String securementSignatureKeyIdentifier) Deprecated. Defines which key identifier type to use.
void	setSecurementSignatureParts(String securementSignatureParts) Deprecated. Property to define which parts of the request shall be signed.
void	setSecurementSignatureUser(String securementSignatureUser) Deprecated. The user's name for signature.
void	setSecurementTimeToLive(int securementTimeToLive) Deprecated. Sets the time to live on the outgoing message
void	setSecurementUseDerivedKey(boolean securementUseDerivedKey) Deprecated. Enables the derivation of keys as per the UsernameTokenProfile 1.1 spec.
void	setSecurementUsername(String securementUsername) Deprecated. Sets the username for securement username token or/and the alias of the private key for securement signature
void	setSecurementUsernameTokenElements(String securementUsernameTokenElements) Deprecated. Sets the additional elements in UsernameTokens.
void	setTimestampPrecisionInMilliseconds(boolean timestampPrecisionInMilliseconds) Deprecated. Sets if the generated timestamp header's precision is in milliseconds.
void	setTimestampStrict(boolean timestampStrict) Deprecated. Sets whether or not timestamp verification is done with the server-side time to live
void	setValidationActions(String actions) Deprecated. Sets the validation actions to be executed by the interceptor.
void	setValidationActor(String validationActor) Deprecated.
void	setValidationCallbackHandler(CallbackHandler callbackHandler) Deprecated. Sets the WSPasswordCallback handler to use when validating messages.
void	setValidationCallbackHandlers(CallbackHandler[] callbackHandler) Deprecated. Sets the WSPasswordCallback handlers to use when validating messages.
void	setValidationDecryptionCrypto(org.apache.ws.security.components.crypto.Crypto decryptionCrypto) Deprecated. Sets the Crypto to use to decrypt incoming messages
void	setValidationSignatureCrypto(org.apache.ws.security.components.crypto.Crypto signatureCrypto) Deprecated. Sets the Crypto to use to verify the signature of incoming messages
void	setValidationTimeToLive(int validationTimeToLive) Deprecated. Sets the server-side time to live
void	setWssConfig(org.apache.ws.security.WSSConfig config) Deprecated. Sets the web service specification settings.
protected void	validateMessage(SoapMessage soapMessage, MessageContext messageContext) Deprecated. Abstract template method.
protected void	verifyCertificateTrust(List<org.apache.ws.security.WSSecurityEngineResult> results) Deprecated. Verifies the trust of a certificate.
protected void	verifyTimestamp(List<org.apache.ws.security.WSSecurityEngineResult> results) Deprecated. Verifies the timestamp.

Methods inherited from class org.springframework.ws.soap.security.AbstractWsSecurityInterceptor

afterCompletion, afterCompletion, handleFault, handleFault, handleFaultException, handleRequest, handleRequest, handleResponse, handleResponse, handleSecurementException, handleValidationException, setExceptionResolver, setSecureRequest, setSecureResponse, setSkipValidationIfNoHeaderPresent, setValidateRequest, setValidateResponse, understands

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SECUREMENT_USER_PROPERTY_NAME

public static final String SECUREMENT_USER_PROPERTY_NAME

Deprecated.

See Also:

Constant Field Values

Constructor Detail

Wss4jSecurityInterceptor

public Wss4jSecurityInterceptor()

Deprecated.

Method Detail

setSecurementActions

public void setSecurementActions(String securementActions)

Deprecated.

setSecurementActor

public void setSecurementActor(String securementActor)

Deprecated.

The actor name of the wsse:Security header.

If this parameter is omitted, the actor name is not set.

The value of the actor or role has to match the receiver's setting or may contain standard values.

setSecurementEncryptionCrypto

public void setSecurementEncryptionCrypto(org.apache.ws.security.components.crypto.Crypto securementEncryptionCrypto)

Deprecated.

setSecurementEncryptionEmbeddedKeyName

public void setSecurementEncryptionEmbeddedKeyName(String securementEncryptionEmbeddedKeyName)

Deprecated.

Sets the key name that needs to be sent for encryption.

setSecurementEncryptionKeyIdentifier

public void setSecurementEncryptionKeyIdentifier(String securementEncryptionKeyIdentifier)

Deprecated.

Defines which key identifier type to use. The WS-Security specifications recommends to use the identifier type IssuerSerial. For possible encryption key identifier types refer to WSHandlerConstants.keyIdentifier. For encryption IssuerSerial, X509KeyIdentifier, DirectReference, Thumbprint, SKIKeyIdentifier, and EmbeddedKeyName are valid only.

setSecurementEncryptionKeyTransportAlgorithm

public void setSecurementEncryptionKeyTransportAlgorithm(String securementEncryptionKeyTransportAlgorithm)

Deprecated.

Defines which algorithm to use to encrypt the generated symmetric key. Currently WSS4J supports WSConstants.KEYTRANSPORT_RSA15 and WSConstants.KEYTRANSPORT_RSAOEP.

setSecurementEncryptionParts

public void setSecurementEncryptionParts(String securementEncryptionParts)

Deprecated.

Property to define which parts of the request shall be encrypted.

The value of this property is a list of semicolon separated element names that identify the elements to encrypt. An encryption mode specifier and a namespace identification, each inside a pair of curly brackets, may precede each element name.

The encryption mode specifier is either {Content} or {Element}. Please refer to the W3C XML Encryption specification about the differences between Element and Content encryption. The encryption mode defaults to Content if it is omitted. Example of a list:

 <property name="securementEncryptionParts"
         value="{Content}{http://example.org/paymentv2}CreditCard;
                           {Element}{}UserName" />
 

The first entry of the list identifies the element CreditCard in the namespace http://example.org/paymentv2, and will encrypt its content. Be aware that the element name, the namespace identifier, and the encryption modifier are case sensitive.

The encryption modifier and the namespace identifier can be omitted. In this case the encryption mode defaults to Content and the namespace is set to the SOAP namespace.

An empty encryption mode defaults to Content, an empty namespace identifier defaults to the SOAP namespace. The second line of the example defines Element as encryption mode for an UserName element in the SOAP namespace.

To specify an element without a namespace use the string Null as the namespace name (this is a case sensitive string)

If no list is specified, the handler encrypts the SOAP Body in Content mode by default.

setSecurementEncryptionSymAlgorithm

public void setSecurementEncryptionSymAlgorithm(String securementEncryptionSymAlgorithm)

Deprecated.

Defines which symmetric encryption algorithm to use. WSS4J supports the following alorithms: WSConstants.TRIPLE_DES, WSConstants.AES_128, WSConstants.AES_256, and WSConstants.AES_192. Except for AES 192 all of these algorithms are required by the XML Encryption specification.

setSecurementEncryptionUser

public void setSecurementEncryptionUser(String securementEncryptionUser)

Deprecated.

The user's name for encryption.

The encryption functions uses the public key of this user's certificate to encrypt the generated symmetric key.

If this parameter is not set, then the encryption function falls back to the WSHandlerConstants.USER parameter to get the certificate.

If only encryption of the SOAP body data is requested, it is recommended to use this parameter to define the username. The application can then use the standard user and password functions (see example at WSHandlerConstants.USER to enable HTTP authentication functions.

Encryption only does not authenticate a user / sender, therefore it does not need a password.

Placing the username of the encryption certificate in the configuration file is not a security risk, because the public key of that certificate is used only.

setSecurementPassword

public void setSecurementPassword(String securementPassword)

Deprecated.

setSecurementPasswordType

public void setSecurementPasswordType(String securementUsernameTokenPasswordType)

Deprecated.

Specific parameter for UsernameToken action to define the encoding of the passowrd.

The parameter can be set to either WSConstants.PW_DIGEST or to WSConstants.PW_TEXT.

The default setting is PW_DIGEST.

setSecurementSignatureAlgorithm

public void setSecurementSignatureAlgorithm(String securementSignatureAlgorithm)

Deprecated.

Defines which signature algorithm to use.

See Also:

WSConstants.RSA, WSConstants.DSA

setSecurementSignatureDigestAlgorithm

public void setSecurementSignatureDigestAlgorithm(String digestAlgorithm)

Deprecated.

Defines which signature digest algorithm to use.

setSecurementSignatureCrypto

public void setSecurementSignatureCrypto(org.apache.ws.security.components.crypto.Crypto securementSignatureCrypto)

Deprecated.

setSecurementSignatureKeyIdentifier

public void setSecurementSignatureKeyIdentifier(String securementSignatureKeyIdentifier)

Deprecated.

Defines which key identifier type to use. The WS-Security specifications recommends to use the identifier type IssuerSerial. For possible signature key identifier types refer to WSHandlerConstants.keyIdentifier. For signature IssuerSerial and DirectReference are valid only.

setSecurementSignatureParts

public void setSecurementSignatureParts(String securementSignatureParts)

Deprecated.

Property to define which parts of the request shall be signed.

Refer to setSecurementEncryptionParts(String) for a detailed description of the format of the value string.

If this property is not specified the handler signs the SOAP Body by default.

The WS Security specifications define several formats to transfer the signature tokens (certificates) or references to these tokens. Thus, the plain element name Token signs the token and takes care of the different formats.

To sign the SOAP body and the signature token the value of this parameter must contain:

 <property name="securementSignatureParts"
         value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body; Token" />
 

To specify an element without a namespace use the string Null as the namespace name (this is a case sensitive string)

If there is no other element in the request with a local name of Body then the SOAP namespace identifier can be empty ({}).

setSecurementSignatureUser

public void setSecurementSignatureUser(String securementSignatureUser)

Deprecated.

The user's name for signature.

This name is used as the alias name in the keystore to get user's certificate and private key to perform signing.

If this parameter is not set, then the signature function falls back to the alias specified by setSecurementUsername(String).

setSecurementUsername

public void setSecurementUsername(String securementUsername)

Deprecated.

Sets the username for securement username token or/and the alias of the private key for securement signature

setSecurementTimeToLive

public void setSecurementTimeToLive(int securementTimeToLive)

Deprecated.

Sets the time to live on the outgoing message

setSecurementUseDerivedKey

public void setSecurementUseDerivedKey(boolean securementUseDerivedKey)

Deprecated.

Enables the derivation of keys as per the UsernameTokenProfile 1.1 spec. Default is true.

setValidationTimeToLive

public void setValidationTimeToLive(int validationTimeToLive)

Deprecated.

Sets the server-side time to live

setValidationActions

public void setValidationActions(String actions)

Deprecated.

Sets the validation actions to be executed by the interceptor.

setValidationActor

public void setValidationActor(String validationActor)

Deprecated.

setValidationCallbackHandler

public void setValidationCallbackHandler(CallbackHandler callbackHandler)

Deprecated.

Sets the WSPasswordCallback handler to use when validating messages.

See Also:

setValidationCallbackHandlers(CallbackHandler[])

setValidationCallbackHandlers

public void setValidationCallbackHandlers(CallbackHandler[] callbackHandler)

Deprecated.

Sets the WSPasswordCallback handlers to use when validating messages.

See Also:

setValidationCallbackHandler(CallbackHandler)

setValidationDecryptionCrypto

public void setValidationDecryptionCrypto(org.apache.ws.security.components.crypto.Crypto decryptionCrypto)

Deprecated.

Sets the Crypto to use to decrypt incoming messages

setValidationSignatureCrypto

public void setValidationSignatureCrypto(org.apache.ws.security.components.crypto.Crypto signatureCrypto)

Deprecated.

Sets the Crypto to use to verify the signature of incoming messages

setEnableSignatureConfirmation

public void setEnableSignatureConfirmation(boolean enableSignatureConfirmation)

Deprecated.

Whether to enable signatureConfirmation or not. By default signatureConfirmation is enabled

setTimestampPrecisionInMilliseconds

public void setTimestampPrecisionInMilliseconds(boolean timestampPrecisionInMilliseconds)

Deprecated.

Sets if the generated timestamp header's precision is in milliseconds.

setTimestampStrict

public void setTimestampStrict(boolean timestampStrict)

Deprecated.

Sets whether or not timestamp verification is done with the server-side time to live

setSecurementMustUnderstand

public void setSecurementMustUnderstand(boolean securementMustUnderstand)

Deprecated.

Enables the mustUnderstand attribute on WS-Security headers on outgoing messages. Default is true.

setSecurementUsernameTokenElements

public void setSecurementUsernameTokenElements(String securementUsernameTokenElements)

Deprecated.

Sets the additional elements in UsernameTokens.

The value of this parameter is a list of element names that are added to the UsernameToken. The names of the list a separated by spaces.

The list may contain the names Nonce and Created only (case sensitive). Use this option if the password type is passwordText and the handler shall add the Nonce and/or Created elements.

setWssConfig

public void setWssConfig(org.apache.ws.security.WSSConfig config)

Deprecated.

Sets the web service specification settings.

The default settings follow the latest OASIS and changing anything might violate the OASIS specs.

Parameters:

config - web service security configuration or null to use default settings

setEnableRevocation

public void setEnableRevocation(boolean enableRevocation)

Deprecated.

Set whether to enable CRL checking or not when verifying trust in a certificate.

setBspCompliant

public void setBspCompliant(boolean bspCompliant)

Deprecated.

Set the WS-I Basic Security Profile compliance mode. Default is true.

setSamlProperties

public void setSamlProperties(String location)

Deprecated.

Sets the location of the SAML properties file. The file should be available on the classpath.

setFutureTimeToLive

public void setFutureTimeToLive(int futureTimeToLive)

Deprecated.

Sets the time in seconds in the future within which the Created time of an incoming Timestamp is valid. The default is 60 seconds.

setSamlIssuer

public void setSamlIssuer(org.apache.ws.security.saml.SAMLIssuer samlIssuer)

Deprecated.

Sets the SAML issuer.

getRemoveSecurityHeader

public boolean getRemoveSecurityHeader()

Deprecated.

setRemoveSecurityHeader

public void setRemoveSecurityHeader(boolean removeSecurityHeader)

Deprecated.

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception

Deprecated.

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Throws:

Exception

secureMessage

protected void secureMessage(SoapMessage soapMessage,
                             MessageContext messageContext)
                      throws WsSecuritySecurementException

Deprecated.

Description copied from class: AbstractWsSecurityInterceptor

Abstract template method. Subclasses are required to secure the response contained in the given SoapMessage, and replace the original response with the secured version.

Specified by:

secureMessage in class AbstractWsSecurityInterceptor

Parameters:

soapMessage - the soap message to secure

Throws:

WsSecuritySecurementException - in case of securement errors

initializeRequestData

protected org.apache.ws.security.handler.RequestData initializeRequestData(MessageContext messageContext)

Deprecated.

Creates and initializes a request data for the given message context.

Parameters:

messageContext - the message context

Returns:

the request data

validateMessage

protected void validateMessage(SoapMessage soapMessage,
                               MessageContext messageContext)
                        throws WsSecurityValidationException

Deprecated.

Description copied from class: AbstractWsSecurityInterceptor

Abstract template method. Subclasses are required to validate the request contained in the given SoapMessage, and replace the original request with the validated version.

Specified by:

validateMessage in class AbstractWsSecurityInterceptor

Parameters:

soapMessage - the soap message to validate

Throws:

WsSecurityValidationException - in case of validation errors

checkResults

protected void checkResults(List<org.apache.ws.security.WSSecurityEngineResult> results,
                            List<Integer> validationActions)
                     throws Wss4jSecurityValidationException

Deprecated.

Checks whether the received headers match the configured validation actions. Subclasses could override this method for custom verification behavior.

Parameters:

results - the results of the validation function

validationActions - the decoded validation actions

Throws:

Wss4jSecurityValidationException - if the results are deemed invalid

verifyCertificateTrust

protected void verifyCertificateTrust(List<org.apache.ws.security.WSSecurityEngineResult> results)
                               throws org.apache.ws.security.WSSecurityException

Deprecated.

Verifies the trust of a certificate.

Throws:

org.apache.ws.security.WSSecurityException

verifyTimestamp

protected void verifyTimestamp(List<org.apache.ws.security.WSSecurityEngineResult> results)
                        throws org.apache.ws.security.WSSecurityException

Deprecated.

Verifies the timestamp.

Throws:

org.apache.ws.security.WSSecurityException

cleanUp

protected void cleanUp()

Deprecated.

Specified by:

cleanUp in class AbstractWsSecurityInterceptor