View Javadoc
1   /*
2    * Copyright 2005-2010 the original author or authors.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *      http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package org.springframework.ws.soap.security.xwss.callback;
18  
19  import java.io.IOException;
20  import java.security.cert.X509Certificate;
21  import javax.security.auth.callback.Callback;
22  import javax.security.auth.callback.UnsupportedCallbackException;
23  
24  import com.sun.xml.wss.impl.callback.CertificateValidationCallback;
25  
26  import org.springframework.beans.factory.InitializingBean;
27  import org.springframework.security.core.Authentication;
28  import org.springframework.security.core.AuthenticationException;
29  import org.springframework.security.authentication.AuthenticationManager;
30  import org.springframework.security.core.context.SecurityContextHolder;
31  import org.springframework.ws.soap.security.x509.X509AuthenticationToken;
32  import org.springframework.util.Assert;
33  import org.springframework.ws.soap.security.callback.AbstractCallbackHandler;
34  import org.springframework.ws.soap.security.callback.CleanupCallback;
35  
36  /**
37   * Callback handler that validates a certificate using an Spring Security <code>AuthenticationManager</code>. Logic
38   * based on Spring Security's <code>X509ProcessingFilter</code>. <p/> Spring Security
39   * <code>X509AuthenticationToken</code> is created with the certificate as the credentials. <p/> The configured
40   * authentication manager is expected to supply a provider which can handle this token (usually an instance of
41   * <code>X509AuthenticationProvider</code>).</p>
42   * <p/>
43   * This class only handles <code>CertificateValidationCallback</code>s, and throws an
44   * <code>UnsupportedCallbackException</code> for others.
45   *
46   * @author Arjen Poutsma
47   * @see org.springframework.ws.soap.security.x509.X509AuthenticationToken
48   * @see org.springframework.ws.soap.security.x509.X509AuthenticationProvider
49   * @see com.sun.xml.wss.impl.callback.CertificateValidationCallback
50   * @since 1.5.0
51   */
52  public class SpringCertificateValidationCallbackHandler extends AbstractCallbackHandler implements InitializingBean {
53  
54      private AuthenticationManager authenticationManager;
55  
56      private boolean ignoreFailure = false;
57  
58      /** Sets the Spring Security authentication manager. Required. */
59      public void setAuthenticationManager(AuthenticationManager authenticationManager) {
60          this.authenticationManager = authenticationManager;
61      }
62  
63      public void setIgnoreFailure(boolean ignoreFailure) {
64          this.ignoreFailure = ignoreFailure;
65      }
66  
67      public void afterPropertiesSet() throws Exception {
68          Assert.notNull(authenticationManager, "authenticationManager is required");
69      }
70  
71      /**
72       * Handles  <code>CertificateValidationCallback</code>s, and throws an <code>UnsupportedCallbackException</code> for
73       * others
74       *
75       * @throws javax.security.auth.callback.UnsupportedCallbackException
76       *          when the callback is not supported
77       */
78      @Override
79      protected void handleInternal(Callback callback) throws IOException, UnsupportedCallbackException {
80          if (callback instanceof CertificateValidationCallback) {
81              ((CertificateValidationCallback) callback).setValidator(new SpringSecurityCertificateValidator());
82          }
83          else if (callback instanceof CleanupCallback) {
84              SecurityContextHolder.clearContext();
85          }
86          else {
87              throw new UnsupportedCallbackException(callback);
88          }
89      }
90  
91      private class SpringSecurityCertificateValidator implements CertificateValidationCallback.CertificateValidator {
92  
93          public boolean validate(X509Certificate certificate)
94                  throws CertificateValidationCallback.CertificateValidationException {
95              boolean result;
96              try {
97                  Authentication authResult =
98                          authenticationManager.authenticate(new X509AuthenticationToken(certificate));
99                  if (logger.isDebugEnabled()) {
100                     logger.debug("Authentication request for certificate with DN [" +
101                             certificate.getSubjectX500Principal().getName() + "] successful");
102                 }
103                 SecurityContextHolder.getContext().setAuthentication(authResult);
104                 return true;
105             }
106             catch (AuthenticationException failed) {
107                 if (logger.isDebugEnabled()) {
108                     logger.debug("Authentication request for certificate with DN [" +
109                             certificate.getSubjectX500Principal().getName() + "] failed: " + failed.toString());
110                 }
111                 SecurityContextHolder.clearContext();
112                 result = ignoreFailure;
113             }
114             return result;
115         }
116     }
117 }