Class Wss4jSecurityInterceptor
- All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean
,ClientInterceptor
,EndpointInterceptor
,SoapEndpointInterceptor
org.springframework.ws.soap.axiom.AxiomSoapMessageFactory
and the
SaajSoapMessageFactory
.
The validation and securement actions executed by this interceptor are configured via validationActions
and
securementActions
properties, respectively. Actions should be passed as a space-separated strings.
Valid validation actions are:
Validation action Description UsernameToken
Validates username token Timestamp
Validates the timestamp Encrypt
Decrypts the message Signature
Validates the signature NoSecurity
No action performed
Securement actions are:
Securement action Description UsernameToken
Adds a username token UsernameTokenSignature
Adds a username token and a signature username token secret key Timestamp
Adds a timestamp Encrypt
Encrypts the response Signature
Signs the response NoSecurity
No action performed
The order of the actions that the client performed to secure the messages is significant and is enforced by the interceptor.
- Since:
- 2.3.0
- Author:
- Tareq Abed Rabbo, Arjen Poutsma, Greg Turnquist, Jamin Hitchcock, Rob Leland, Lars Uffmann, Andreas Winter
- See Also:
-
Field Summary
Fields inherited from class org.springframework.ws.soap.security.AbstractWsSecurityInterceptor
logger, WS_SECURITY_NAME
-
Constructor Summary
ConstructorDescriptionCreate aWSSecurityEngine
by default.Wss4jSecurityInterceptor
(org.apache.wss4j.dom.engine.WSSecurityEngine securityEngine) Inject a customizeWSSecurityEngine
. -
Method Summary
Modifier and TypeMethodDescriptionvoid
protected void
checkResults
(List<org.apache.wss4j.dom.engine.WSSecurityEngineResult> results, List<Integer> validationActions) Checks whether the received headers match the configured validation actions.protected void
cleanUp()
boolean
protected org.apache.wss4j.dom.handler.RequestData
initializeRequestData
(MessageContext messageContext) Creates and initializes a request data for the given message context.protected org.apache.wss4j.dom.handler.RequestData
initializeValidationRequestData
(MessageContext messageContext) Creates and initializes a request data for the given message context.protected void
secureMessage
(SoapMessage soapMessage, MessageContext messageContext) Abstract template method.void
setAddInclusivePrefixes
(boolean addInclusivePrefixes) Sets whether to add an InclusiveNamespaces PrefixList as a CanonicalizationMethod child when generating Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS.void
setAllowRSA15KeyTransportAlgorithm
(boolean allow) Sets whether the RSA 1.5 key transport algorithm is allowed.void
setBspCompliant
(boolean bspCompliant) Set the WS-I Basic Security Profile compliance mode.void
setEnableRevocation
(boolean enableRevocation) Set whether to enable CRL checking or not when verifying trust in a certificate.void
setEnableSignatureConfirmation
(boolean enableSignatureConfirmation) Whether to enable signatureConfirmation or not.void
setFutureTimeToLive
(int futureTimeToLive) Sets the time in seconds in the future within which the Created time of an incoming Timestamp is valid.void
setRemoveSecurityHeader
(boolean removeSecurityHeader) void
setSecurementActions
(String securementActions) void
setSecurementActor
(String securementActor) The actor name of thewsse:Security
header.void
setSecurementEncryptionCrypto
(org.apache.wss4j.common.crypto.Crypto securementEncryptionCrypto) void
setSecurementEncryptionKeyIdentifier
(String securementEncryptionKeyIdentifier) Defines which key identifier type to use.void
setSecurementEncryptionKeyTransportAlgorithm
(String securementEncryptionKeyTransportAlgorithm) Defines which algorithm to use to encrypt the generated symmetric key.void
setSecurementEncryptionParts
(String securementEncryptionParts) Property to define which parts of the request shall be encrypted.void
setSecurementEncryptionSymAlgorithm
(String securementEncryptionSymAlgorithm) Defines which symmetric encryption algorithm to use.void
setSecurementEncryptionUser
(String securementEncryptionUser) The user's name for encryption.void
setSecurementMustUnderstand
(boolean securementMustUnderstand) Enables themustUnderstand
attribute on WS-Security headers on outgoing messages.void
setSecurementPassword
(String securementPassword) void
setSecurementPasswordType
(String securementUsernameTokenPasswordType) Specific parameter for UsernameToken action to define the encoding of the passowrd.void
setSecurementSamlCallbackHandler
(CallbackHandler samlCallbackHandler) Sets the SAML Callback used for generating SAML tokens.void
setSecurementSignatureAlgorithm
(String securementSignatureAlgorithm) Defines which signature algorithm to use.void
setSecurementSignatureCrypto
(org.apache.wss4j.common.crypto.Crypto securementSignatureCrypto) void
setSecurementSignatureDigestAlgorithm
(String digestAlgorithm) Defines which signature digest algorithm to use.void
setSecurementSignatureKeyIdentifier
(String securementSignatureKeyIdentifier) Defines which key identifier type to use.void
setSecurementSignatureParts
(String securementSignatureParts) Property to define which parts of the request shall be signed.void
setSecurementSignatureSingleCertificate
(boolean useSingleCertificate) Defines whether to use a single certificate or a whole certificate chain when constructing a BinarySecurityToken used for direct reference in signature.void
setSecurementSignatureUser
(String securementSignatureUser) The user's name for signature.void
setSecurementTimeToLive
(int securementTimeToLive) Sets the time to live on the outgoing messagevoid
setSecurementUseDerivedKey
(boolean securementUseDerivedKey) Enables the derivation of keys as per the UsernameTokenProfile 1.1 spec.void
setSecurementUsername
(String securementUsername) Sets the username for securement username token or/and the alias of the private key for securement signaturevoid
setSecurementUsernameTokenCreated
(boolean securementUsernameTokenCreated) Sets whether or not aCreated
element is added to theUsernameToken
s.void
setSecurementUsernameTokenNonce
(boolean securementUsernameTokenNonce) Sets whether or not aNonce
element is added to theUsernameToken
s.void
setTimestampPrecisionInMilliseconds
(boolean timestampPrecisionInMilliseconds) Sets if the generated timestamp header's precision is in milliseconds.void
setTimestampStrict
(boolean timestampStrict) Sets whether or not timestamp verification is done with the server-side time to livevoid
setValidationActions
(String actions) Sets the validation actions to be executed by the interceptor.void
setValidationActor
(String validationActor) void
setValidationCallbackHandler
(CallbackHandler callbackHandler) Sets theCallbackHandler
to use when validating messages.void
setValidationCallbackHandlers
(CallbackHandler[] callbackHandler) Sets theCallbackHandler
s to use when validating messages.void
setValidationDecryptionCrypto
(org.apache.wss4j.common.crypto.Crypto decryptionCrypto) Sets the Crypto to use to decrypt incoming messagesvoid
setValidationSignatureCrypto
(org.apache.wss4j.common.crypto.Crypto signatureCrypto) Sets the Crypto to use to verify the signature of incoming messagesvoid
setValidationSubjectDnConstraints
(List<Pattern> patterns) Certificate constraints which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.void
setValidationTimeToLive
(int validationTimeToLive) Sets the server-side time to livevoid
setWssConfig
(org.apache.wss4j.dom.engine.WSSConfig config) Sets the web service specification settings.protected void
validateMessage
(SoapMessage soapMessage, MessageContext messageContext) Abstract template method.protected void
verifyCertificateTrust
(org.apache.wss4j.dom.handler.WSHandlerResult result) Verifies the trust of a certificate.protected void
verifyTimestamp
(org.apache.wss4j.dom.handler.WSHandlerResult result) Verifies the timestamp.Methods inherited from class org.springframework.ws.soap.security.AbstractWsSecurityInterceptor
afterCompletion, afterCompletion, handleFault, handleFault, handleFaultException, handleRequest, handleRequest, handleResponse, handleResponse, handleSecurementException, handleValidationException, setExceptionResolver, setSecureRequest, setSecureResponse, setSkipValidationIfNoHeaderPresent, setValidateRequest, setValidateResponse, understands
-
Field Details
-
SECUREMENT_USER_PROPERTY_NAME
- See Also:
-
SECUREMENT_PASSWORD_PROPERTY_NAME
- See Also:
-
-
Constructor Details
-
Wss4jSecurityInterceptor
public Wss4jSecurityInterceptor()Create aWSSecurityEngine
by default. -
Wss4jSecurityInterceptor
public Wss4jSecurityInterceptor(org.apache.wss4j.dom.engine.WSSecurityEngine securityEngine) Inject a customizeWSSecurityEngine
.- Parameters:
securityEngine
-
-
-
Method Details
-
setSecurementActions
-
setSecurementActor
The actor name of thewsse:Security
header.If this parameter is omitted, the actor name is not set.
The value of the actor or role has to match the receiver's setting or may contain standard values.
-
setSecurementSignatureSingleCertificate
public void setSecurementSignatureSingleCertificate(boolean useSingleCertificate) Defines whether to use a single certificate or a whole certificate chain when constructing a BinarySecurityToken used for direct reference in signature. The default is "true", meaning that only a single certificate is used. -
setSecurementEncryptionCrypto
public void setSecurementEncryptionCrypto(org.apache.wss4j.common.crypto.Crypto securementEncryptionCrypto) -
setSecurementEncryptionKeyIdentifier
Defines which key identifier type to use. The WS-Security specifications recommends to use the identifier typeIssuerSerial
. For possible encryption key identifier types refer toorg.apache.ws.security.handler.WSHandlerConstants#keyIdentifier
. For encryptionIssuerSerial
,X509KeyIdentifier
,DirectReference
,Thumbprint
,SKIKeyIdentifier
, andEmbeddedKeyName
are valid only. -
setSecurementEncryptionKeyTransportAlgorithm
public void setSecurementEncryptionKeyTransportAlgorithm(String securementEncryptionKeyTransportAlgorithm) Defines which algorithm to use to encrypt the generated symmetric key. Currently WSS4J supportsWSS4JConstants.KEYTRANSPORT_RSA15
andWSConstants#KEYTRANSPORT_RSAOEP
. -
setSecurementEncryptionParts
Property to define which parts of the request shall be encrypted.The value of this property is a list of semicolon separated element names that identify the elements to encrypt. An encryption mode specifier and a namespace identification, each inside a pair of curly brackets, may precede each element name.
The encryption mode specifier is either
{Content}
or{Element}
. Please refer to the W3C XML Encryption specification about the differences between Element and Content encryption. The encryption mode defaults toContent
if it is omitted. Example of a list:<property name="securementEncryptionParts" value="{Content}{http://example.org/paymentv2}CreditCard; {Element}{}UserName" />
The first entry of the list identifies the elementCreditCard
in the namespacehttp://example.org/paymentv2
, and will encrypt its content. Be aware that the element name, the namespace identifier, and the encryption modifier are case sensitive.The encryption modifier and the namespace identifier can be omitted. In this case the encryption mode defaults to
Content
and the namespace is set to the SOAP namespace.An empty encryption mode defaults to
Content
, an empty namespace identifier defaults to the SOAP namespace. The second line of the example definesElement
as encryption mode for anUserName
element in the SOAP namespace.To specify an element without a namespace use the string
Null
as the namespace name (this is a case sensitive string)If no list is specified, the handler encrypts the SOAP Body in
Content
mode by default. -
setSecurementEncryptionSymAlgorithm
Defines which symmetric encryption algorithm to use. WSS4J supports the following alorithms:WSS4JConstants.TRIPLE_DES
,WSS4JConstants.AES_128
,WSS4JConstants.AES_256
, andWSS4JConstants.AES_192
. Except for AES 192 all of these algorithms are required by the XML Encryption specification. -
setSecurementEncryptionUser
The user's name for encryption.The encryption functions uses the public key of this user's certificate to encrypt the generated symmetric key.
If this parameter is not set, then the encryption function falls back to the
org.apache.ws.security.handler.WSHandlerConstants#USER
parameter to get the certificate.If only encryption of the SOAP body data is requested, it is recommended to use this parameter to define the username. The application can then use the standard user and password functions (see example at
org.apache.ws.security.handler.WSHandlerConstants#USER
to enable HTTP authentication functions.Encryption only does not authenticate a user / sender, therefore it does not need a password.
Placing the username of the encryption certificate in the configuration file is not a security risk, because the public key of that certificate is used only.
-
setSecurementPassword
-
setSecurementPasswordType
Specific parameter for UsernameToken action to define the encoding of the passowrd.The parameter can be set to either
WSS4JConstants.PW_DIGEST
or toWSS4JConstants.PW_TEXT
.The default setting is PW_DIGEST.
-
setSecurementSignatureAlgorithm
Defines which signature algorithm to use.- See Also:
-
WSS4JConstants.RSA
WSS4JConstants.DSA
-
setSecurementSignatureDigestAlgorithm
Defines which signature digest algorithm to use. -
setSecurementSignatureCrypto
public void setSecurementSignatureCrypto(org.apache.wss4j.common.crypto.Crypto securementSignatureCrypto) -
setSecurementSignatureKeyIdentifier
Defines which key identifier type to use. The WS-Security specifications recommends to use the identifier typeIssuerSerial
. For possible signature key identifier types refer toorg.apache.ws.security.handler.WSHandlerConstants#keyIdentifier
. For signatureIssuerSerial
andDirectReference
are valid only. -
setSecurementSignatureParts
Property to define which parts of the request shall be signed.Refer to
setSecurementEncryptionParts(String)
for a detailed description of the format of the value string.If this property is not specified the handler signs the SOAP Body by default.
The WS Security specifications define several formats to transfer the signature tokens (certificates) or references to these tokens. Thus, the plain element name
Token
signs the token and takes care of the different formats.To sign the SOAP body and the signature token the value of this parameter must contain:
<property name="securementSignatureParts" value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body; Token" />
To specify an element without a namespace use the stringNull
as the namespace name (this is a case sensitive string)If there is no other element in the request with a local name of
Body
then the SOAP namespace identifier can be empty ({}
). -
setSecurementSignatureUser
The user's name for signature.This name is used as the alias name in the keystore to get user's certificate and private key to perform signing.
If this parameter is not set, then the signature function falls back to the alias specified by
setSecurementUsername(String)
. -
setSecurementUsername
Sets the username for securement username token or/and the alias of the private key for securement signature -
setSecurementTimeToLive
public void setSecurementTimeToLive(int securementTimeToLive) Sets the time to live on the outgoing message -
setSecurementUseDerivedKey
public void setSecurementUseDerivedKey(boolean securementUseDerivedKey) Enables the derivation of keys as per the UsernameTokenProfile 1.1 spec. Default istrue
. -
setSecurementSamlCallbackHandler
Sets the SAML Callback used for generating SAML tokens.- Parameters:
samlCallback
-
-
setValidationTimeToLive
public void setValidationTimeToLive(int validationTimeToLive) Sets the server-side time to live -
setValidationActions
Sets the validation actions to be executed by the interceptor. -
setValidationActor
-
setValidationCallbackHandler
Sets theCallbackHandler
to use when validating messages. -
setValidationCallbackHandlers
Sets theCallbackHandler
s to use when validating messages. -
setValidationDecryptionCrypto
public void setValidationDecryptionCrypto(org.apache.wss4j.common.crypto.Crypto decryptionCrypto) Sets the Crypto to use to decrypt incoming messages -
setValidationSignatureCrypto
public void setValidationSignatureCrypto(org.apache.wss4j.common.crypto.Crypto signatureCrypto) Sets the Crypto to use to verify the signature of incoming messages -
setValidationSubjectDnConstraints
Certificate constraints which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate.- Parameters:
patterns
- A list of regex patterns which will be applied to the subject DN.- See Also:
-
setEnableSignatureConfirmation
public void setEnableSignatureConfirmation(boolean enableSignatureConfirmation) Whether to enable signatureConfirmation or not. By default signatureConfirmation is enabled -
setTimestampPrecisionInMilliseconds
public void setTimestampPrecisionInMilliseconds(boolean timestampPrecisionInMilliseconds) Sets if the generated timestamp header's precision is in milliseconds. -
setTimestampStrict
public void setTimestampStrict(boolean timestampStrict) Sets whether or not timestamp verification is done with the server-side time to live -
setSecurementMustUnderstand
public void setSecurementMustUnderstand(boolean securementMustUnderstand) Enables themustUnderstand
attribute on WS-Security headers on outgoing messages. Default istrue
. -
setSecurementUsernameTokenNonce
public void setSecurementUsernameTokenNonce(boolean securementUsernameTokenNonce) Sets whether or not aNonce
element is added to theUsernameToken
s. Default isfalse
. -
setSecurementUsernameTokenCreated
public void setSecurementUsernameTokenCreated(boolean securementUsernameTokenCreated) Sets whether or not aCreated
element is added to theUsernameToken
s. Default isfalse
. -
setWssConfig
public void setWssConfig(org.apache.wss4j.dom.engine.WSSConfig config) Sets the web service specification settings.The default settings follow the latest OASIS and changing anything might violate the OASIS specs.
- Parameters:
config
- web service security configuration ornull
to use default settings
-
setEnableRevocation
public void setEnableRevocation(boolean enableRevocation) Set whether to enable CRL checking or not when verifying trust in a certificate. -
setBspCompliant
public void setBspCompliant(boolean bspCompliant) Set the WS-I Basic Security Profile compliance mode. Default istrue
. -
setAddInclusivePrefixes
public void setAddInclusivePrefixes(boolean addInclusivePrefixes) Sets whether to add an InclusiveNamespaces PrefixList as a CanonicalizationMethod child when generating Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS. Default istrue
. -
setAllowRSA15KeyTransportAlgorithm
public void setAllowRSA15KeyTransportAlgorithm(boolean allow) Sets whether the RSA 1.5 key transport algorithm is allowed. -
setFutureTimeToLive
public void setFutureTimeToLive(int futureTimeToLive) Sets the time in seconds in the future within which the Created time of an incoming Timestamp is valid. The default is 60 seconds. -
getRemoveSecurityHeader
public boolean getRemoveSecurityHeader() -
setRemoveSecurityHeader
public void setRemoveSecurityHeader(boolean removeSecurityHeader) -
afterPropertiesSet
- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
- Throws:
Exception
-
secureMessage
protected void secureMessage(SoapMessage soapMessage, MessageContext messageContext) throws WsSecuritySecurementException Description copied from class:AbstractWsSecurityInterceptor
Abstract template method. Subclasses are required to secure the response contained in the givenSoapMessage
, and replace the original response with the secured version.- Specified by:
secureMessage
in classAbstractWsSecurityInterceptor
- Parameters:
soapMessage
- the soap message to secure- Throws:
WsSecuritySecurementException
- in case of securement errors
-
initializeRequestData
protected org.apache.wss4j.dom.handler.RequestData initializeRequestData(MessageContext messageContext) Creates and initializes a request data for the given message context.- Parameters:
messageContext
- the message context- Returns:
- the request data
-
initializeValidationRequestData
protected org.apache.wss4j.dom.handler.RequestData initializeValidationRequestData(MessageContext messageContext) Creates and initializes a request data for the given message context.- Parameters:
messageContext
- the message context- Returns:
- the request data
-
validateMessage
protected void validateMessage(SoapMessage soapMessage, MessageContext messageContext) throws WsSecurityValidationException Description copied from class:AbstractWsSecurityInterceptor
Abstract template method. Subclasses are required to validate the request contained in the givenSoapMessage
, and replace the original request with the validated version.- Specified by:
validateMessage
in classAbstractWsSecurityInterceptor
- Parameters:
soapMessage
- the soap message to validate- Throws:
WsSecurityValidationException
- in case of validation errors
-
checkResults
protected void checkResults(List<org.apache.wss4j.dom.engine.WSSecurityEngineResult> results, List<Integer> validationActions) throws Wss4jSecurityValidationException Checks whether the received headers match the configured validation actions. Subclasses could override this method for custom verification behavior.- Parameters:
results
- the results of the validation functionvalidationActions
- the decoded validation actions- Throws:
Wss4jSecurityValidationException
- if the results are deemed invalid
-
verifyCertificateTrust
protected void verifyCertificateTrust(org.apache.wss4j.dom.handler.WSHandlerResult result) throws org.apache.wss4j.common.ext.WSSecurityException Verifies the trust of a certificate.- Parameters:
result
-- Throws:
org.apache.wss4j.common.ext.WSSecurityException
-
verifyTimestamp
protected void verifyTimestamp(org.apache.wss4j.dom.handler.WSHandlerResult result) throws org.apache.wss4j.common.ext.WSSecurityException Verifies the timestamp.- Parameters:
result
-- Throws:
org.apache.wss4j.common.ext.WSSecurityException
-
cleanUp
protected void cleanUp()- Specified by:
cleanUp
in classAbstractWsSecurityInterceptor
-