AcegiCertificateValidationCallbackHandler xref

View Javadoc

1   /*
2    * Copyright 2002-2009 the original author or authors.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *      http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package org.springframework.ws.soap.security.xwss.callback.acegi;
18  
19  import java.io.IOException;
20  import java.security.cert.X509Certificate;
21  import javax.security.auth.callback.Callback;
22  import javax.security.auth.callback.UnsupportedCallbackException;
23  
24  import com.sun.xml.wss.impl.callback.CertificateValidationCallback;
25  import org.acegisecurity.Authentication;
26  import org.acegisecurity.AuthenticationException;
27  import org.acegisecurity.AuthenticationManager;
28  import org.acegisecurity.context.SecurityContextHolder;
29  import org.acegisecurity.providers.x509.X509AuthenticationToken;
30  
31  import org.springframework.beans.factory.InitializingBean;
32  import org.springframework.util.Assert;
33  import org.springframework.ws.soap.security.callback.AbstractCallbackHandler;
34  import org.springframework.ws.soap.security.callback.CleanupCallback;
35  
36  /**
37   * Callback handler that validates a certificate using an Acegi <code>AuthenticationManager</code>. Logic based on
38   * Acegi's <code>X509ProcessingFilter</code>. <p/> An Acegi <code>X509AuthenticationToken</code> is created with the
39   * certificate as the credentials. <p/> The configured authentication manager is expected to supply a provider which can
40   * handle this token (usually an instance of <code>X509AuthenticationProvider</code>).</p>
41   * <p/>
42   * This class only handles <code>CertificateValidationCallback</code>s, and throws an
43   * <code>UnsupportedCallbackException</code> for others.
44   *
45   * @author Arjen Poutsma
46   * @see X509AuthenticationToken
47   * @see org.acegisecurity.providers.x509.X509AuthenticationProvider
48   * @see org.acegisecurity.ui.x509.X509ProcessingFilter
49   * @see CertificateValidationCallback
50   * @since 1.0.0
51   * @deprecated As of Spring-WS 1.5, in favor of Spring Security
52   */
53  public class AcegiCertificateValidationCallbackHandler extends AbstractCallbackHandler implements InitializingBean {
54  
55      private AuthenticationManager authenticationManager;
56  
57      private boolean ignoreFailure = false;
58  
59      /** Sets the Acegi authentication manager. Required. */
60      public void setAuthenticationManager(AuthenticationManager authenticationManager) {
61          this.authenticationManager = authenticationManager;
62      }
63  
64      public void setIgnoreFailure(boolean ignoreFailure) {
65          this.ignoreFailure = ignoreFailure;
66      }
67  
68      public void afterPropertiesSet() throws Exception {
69          Assert.notNull(authenticationManager, "authenticationManager is required");
70      }
71  
72      /**
73       * Handles  <code>CertificateValidationCallback</code>s, and throws an <code>UnsupportedCallbackException</code> for
74       * others
75       *
76       * @throws UnsupportedCallbackException when the callback is not supported
77       */
78      protected void handleInternal(Callback callback) throws IOException, UnsupportedCallbackException {
79          if (callback instanceof CertificateValidationCallback) {
80              ((CertificateValidationCallback) callback).setValidator(new AcegiCertificateValidator());
81          }
82          else if (callback instanceof CleanupCallback) {
83              SecurityContextHolder.clearContext();
84          }
85          else {
86              throw new UnsupportedCallbackException(callback);
87          }
88      }
89  
90      private class AcegiCertificateValidator implements CertificateValidationCallback.CertificateValidator {
91  
92          public boolean validate(X509Certificate certificate)
93                  throws CertificateValidationCallback.CertificateValidationException {
94              boolean result;
95              try {
96                  Authentication authResult =
97                          authenticationManager.authenticate(new X509AuthenticationToken(certificate));
98                  if (logger.isDebugEnabled()) {
99                      logger.debug("Authentication request for certificate with DN [" +
100                             certificate.getSubjectX500Principal().getName() + "] successful");
101                 }
102                 SecurityContextHolder.getContext().setAuthentication(authResult);
103                 return true;
104             }
105             catch (AuthenticationException failed) {
106                 if (logger.isDebugEnabled()) {
107                     logger.debug("Authentication request for certificate with DN [" +
108                             certificate.getSubjectX500Principal().getName() + "] failed: " + failed.toString());
109                 }
110                 SecurityContextHolder.clearContext();
111                 result = ignoreFailure;
112             }
113             return result;
114         }
115     }
116 }