View Javadoc
1   /*
2    * Copyright 2005-2010 the original author or authors.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *      http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package org.springframework.ws.soap.security.xwss;
18  
19  import java.io.IOException;
20  import java.io.InputStream;
21  import java.util.Arrays;
22  import java.util.Hashtable;
23  import javax.security.auth.callback.Callback;
24  import javax.security.auth.callback.CallbackHandler;
25  import javax.security.auth.callback.UnsupportedCallbackException;
26  import javax.xml.soap.SOAPMessage;
27  
28  import com.sun.xml.wss.ProcessingContext;
29  import com.sun.xml.wss.XWSSProcessor;
30  import com.sun.xml.wss.XWSSProcessorFactory;
31  import com.sun.xml.wss.XWSSecurityException;
32  import com.sun.xml.wss.impl.WssSoapFaultException;
33  
34  import org.springframework.beans.factory.InitializingBean;
35  import org.springframework.core.io.Resource;
36  import org.springframework.util.Assert;
37  import org.springframework.ws.context.MessageContext;
38  import org.springframework.ws.soap.SoapMessage;
39  import org.springframework.ws.soap.saaj.SaajSoapMessage;
40  import org.springframework.ws.soap.security.AbstractWsSecurityInterceptor;
41  import org.springframework.ws.soap.security.WsSecurityValidationException;
42  import org.springframework.ws.soap.security.callback.CleanupCallback;
43  import org.springframework.ws.soap.security.xwss.callback.XwssCallbackHandlerChain;
44  
45  /**
46   * WS-Security endpoint interceptor  that is based on Sun's XML and Web Services Security package (XWSS). This
47   * WS-Security implementation is part of the Java Web Services Developer Pack (Java WSDP).
48   * <p/>
49   * This interceptor needs a <code>CallbackHandler</code> to operate. This handler is used to retrieve certificates,
50   * private keys, validate user credentials, etc. Refer to the XWSS Javadoc to learn more about the specific
51   * <code>Callback</code>s fired by XWSS. You can also set multiple handlers, each of which will be used in turn.
52   * <p/>
53   * Additionally, you must define a XWSS policy file by setting <code>policyConfiguration</code> property. The format of
54   * the policy file is documented in the <a href="http://java.sun.com/webservices/docs/1.6/tutorial/doc/XWS-SecurityIntro4.html#wp529900">Java
55   * Web Services Tutorial</a>.
56   * <p/>
57   * <b>Note</b> that this interceptor depends on SAAJ, and thus requires <code>SaajSoapMessage</code>s to operate. This
58   * means that you must use a <code>SaajSoapMessageFactory</code> to create the SOAP messages.
59   *
60   * @author Arjen Poutsma
61   * @see #setCallbackHandler(javax.security.auth.callback.CallbackHandler)
62   * @see #setPolicyConfiguration(org.springframework.core.io.Resource)
63   * @see com.sun.xml.wss.impl.callback.XWSSCallback
64   * @see org.springframework.ws.soap.saaj.SaajSoapMessageFactory
65   * @see <a href="https://xwss.dev.java.net/">XWSS</a>
66   * @since 1.0.0
67   */
68  public class XwsSecurityInterceptor extends AbstractWsSecurityInterceptor implements InitializingBean {
69  
70      private XWSSProcessor processor;
71  
72      private CallbackHandler callbackHandler;
73  
74      private Resource policyConfiguration;
75  
76      /**
77       * Sets the handler to resolve XWSS callbacks. Setting either this propery, or <code>callbackHandlers</code>, is
78       * required.
79       *
80       * @see com.sun.xml.wss.impl.callback.XWSSCallback
81       * @see #setCallbackHandlers(javax.security.auth.callback.CallbackHandler[])
82       */
83      public void setCallbackHandler(CallbackHandler callbackHandler) {
84          this.callbackHandler = callbackHandler;
85      }
86  
87      /**
88       * Sets the handlers to resolve XWSS callbacks. Setting either this propery, or <code>callbackHandlers</code>, is
89       * required.
90       *
91       * @see com.sun.xml.wss.impl.callback.XWSSCallback
92       * @see #setCallbackHandler(javax.security.auth.callback.CallbackHandler)
93       */
94      public void setCallbackHandlers(CallbackHandler[] callbackHandler) {
95          this.callbackHandler = new XwssCallbackHandlerChain(callbackHandler);
96      }
97  
98      /** Sets the policy configuration to use for XWSS. Required. */
99      public void setPolicyConfiguration(Resource policyConfiguration) {
100         this.policyConfiguration = policyConfiguration;
101     }
102 
103     public void afterPropertiesSet() throws Exception {
104         Assert.notNull(policyConfiguration, "policyConfiguration is required");
105         Assert.isTrue(policyConfiguration.exists(), "policyConfiguration [" + policyConfiguration + "] does not exist");
106         Assert.notNull(callbackHandler, "callbackHandler is required");
107         XWSSProcessorFactory processorFactory = XWSSProcessorFactory.newInstance();
108         InputStream is = null;
109         try {
110             if (logger.isInfoEnabled()) {
111                 logger.info("Loading policy configuration from from '" + policyConfiguration + "'");
112             }
113             is = policyConfiguration.getInputStream();
114             processor = processorFactory.createProcessorForSecurityConfiguration(is, callbackHandler);
115         }
116         finally {
117             if (is != null) {
118                 is.close();
119             }
120         }
121     }
122 
123     /**
124      * Secures the given SoapMessage message in accordance with the defined security policy.
125      *
126      * @param soapMessage the message to be secured
127      * @throws XwsSecuritySecurementException in case of errors
128      * @throws IllegalArgumentException       when soapMessage is not a <code>SaajSoapMessage</code>
129      */
130     @Override
131     protected void secureMessage(SoapMessage soapMessage, MessageContext messageContext)
132             throws XwsSecuritySecurementException {
133         Assert.isTrue(soapMessage instanceof SaajSoapMessage, "XwsSecurityInterceptor requires a SaajSoapMessage. " +
134                 "Use a SaajSoapMessageFactory to create the SOAP messages.");
135         SaajSoapMessage saajSoapMessage = (SaajSoapMessage) soapMessage;
136         try {
137             ProcessingContext context = processor.createProcessingContext(saajSoapMessage.getSaajMessage());
138             SOAPMessage result = processor.secureOutboundMessage(context);
139             saajSoapMessage.setSaajMessage(result);
140         }
141         catch (XWSSecurityException ex) {
142             throw new XwsSecuritySecurementException(ex.getMessage(), ex);
143         }
144         catch (WssSoapFaultException ex) {
145             throw new XwsSecurityFaultException(ex.getFaultCode(), ex.getFaultString(), ex.getFaultActor());
146         }
147     }
148 
149     /**
150      * Validates the given SoapMessage message in accordance with the defined security policy.
151      *
152      * @param soapMessage the message to be validated
153      * @throws XwsSecurityValidationException in case of errors
154      * @throws IllegalArgumentException       when soapMessage is not a <code>SaajSoapMessage</code>
155      */
156     @Override
157     protected void validateMessage(SoapMessage soapMessage, MessageContext messageContext)
158             throws WsSecurityValidationException {
159         Assert.isTrue(soapMessage instanceof SaajSoapMessage, "XwsSecurityInterceptor requires a SaajSoapMessage. " +
160                 "Use a SaajSoapMessageFactory to create the SOAP messages.");
161         SaajSoapMessage saajSoapMessage = (SaajSoapMessage) soapMessage;
162         try {
163             ProcessingContext context = processor.createProcessingContext(saajSoapMessage.getSaajMessage());
164             SOAPMessage result = processor.verifyInboundMessage(context);
165             saajSoapMessage.setSaajMessage(result);
166         }
167         catch (XWSSecurityException ex) {
168             throw new XwsSecurityValidationException(ex.getMessage(), ex);
169         }
170         catch (WssSoapFaultException ex) {
171             throw new XwsSecurityFaultException(ex.getFaultCode(), ex.getFaultString(), ex.getFaultActor());
172         }
173     }
174 
175 	private SOAPMessage verifyInboundMessage(ProcessingContext context)
176 			throws XWSSecurityException {
177 		try {
178 			return processor.verifyInboundMessage(context);
179 		}
180 		catch (XWSSecurityException ex) {
181 			Throwable cause = ex.getCause();
182 			if (cause instanceof NullPointerException) {
183 				StackTraceElement[] stackTrace = cause.getStackTrace();
184 				if (stackTrace.length >= 1 &&
185 						Hashtable.class.getName().equals(stackTrace[0].getClassName())) {
186 					return verifyInboundMessage(context);
187 				}
188 			}
189 			throw ex;
190 		}
191 	}
192 
193 	@Override
194     protected void cleanUp() {
195         if (callbackHandler != null) {
196             try {
197                 CleanupCallback cleanupCallback = new CleanupCallback();
198                 callbackHandler.handle(new Callback[]{cleanupCallback});
199             }
200             catch (IOException ex) {
201                 logger.warn("Cleanup callback resulted in IOException", ex);
202             }
203             catch (UnsupportedCallbackException ex) {
204                 // ignore
205             }
206         }
207     }
208 }