View Javadoc

1   /*
2    * Copyright 2005-2010 the original author or authors.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *      http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package org.springframework.ws.soap.security.xwss;
18  
19  import java.io.IOException;
20  import java.io.InputStream;
21  import javax.security.auth.callback.Callback;
22  import javax.security.auth.callback.CallbackHandler;
23  import javax.security.auth.callback.UnsupportedCallbackException;
24  import javax.xml.soap.SOAPMessage;
25  
26  import com.sun.xml.wss.ProcessingContext;
27  import com.sun.xml.wss.XWSSProcessor;
28  import com.sun.xml.wss.XWSSProcessorFactory;
29  import com.sun.xml.wss.XWSSecurityException;
30  import com.sun.xml.wss.impl.WssSoapFaultException;
31  
32  import org.springframework.beans.factory.InitializingBean;
33  import org.springframework.core.io.Resource;
34  import org.springframework.util.Assert;
35  import org.springframework.ws.context.MessageContext;
36  import org.springframework.ws.soap.SoapMessage;
37  import org.springframework.ws.soap.saaj.SaajSoapMessage;
38  import org.springframework.ws.soap.security.AbstractWsSecurityInterceptor;
39  import org.springframework.ws.soap.security.WsSecurityValidationException;
40  import org.springframework.ws.soap.security.callback.CleanupCallback;
41  import org.springframework.ws.soap.security.xwss.callback.XwssCallbackHandlerChain;
42  
43  /**
44   * WS-Security endpoint interceptor  that is based on Sun's XML and Web Services Security package (XWSS). This
45   * WS-Security implementation is part of the Java Web Services Developer Pack (Java WSDP).
46   * <p/>
47   * This interceptor needs a <code>CallbackHandler</code> to operate. This handler is used to retrieve certificates,
48   * private keys, validate user credentials, etc. Refer to the XWSS Javadoc to learn more about the specific
49   * <code>Callback</code>s fired by XWSS. You can also set multiple handlers, each of which will be used in turn.
50   * <p/>
51   * Additionally, you must define a XWSS policy file by setting <code>policyConfiguration</code> property. The format of
52   * the policy file is documented in the <a href="http://java.sun.com/webservices/docs/1.6/tutorial/doc/XWS-SecurityIntro4.html#wp529900">Java
53   * Web Services Tutorial</a>.
54   * <p/>
55   * <b>Note</b> that this interceptor depends on SAAJ, and thus requires <code>SaajSoapMessage</code>s to operate. This
56   * means that you must use a <code>SaajSoapMessageFactory</code> to create the SOAP messages.
57   *
58   * @author Arjen Poutsma
59   * @see #setCallbackHandler(javax.security.auth.callback.CallbackHandler)
60   * @see #setPolicyConfiguration(org.springframework.core.io.Resource)
61   * @see com.sun.xml.wss.impl.callback.XWSSCallback
62   * @see org.springframework.ws.soap.saaj.SaajSoapMessageFactory
63   * @see <a href="https://xwss.dev.java.net/">XWSS</a>
64   * @since 1.0.0
65   */
66  public class XwsSecurityInterceptor extends AbstractWsSecurityInterceptor implements InitializingBean {
67  
68      private XWSSProcessor processor;
69  
70      private CallbackHandler callbackHandler;
71  
72      private Resource policyConfiguration;
73  
74      /**
75       * Sets the handler to resolve XWSS callbacks. Setting either this propery, or <code>callbackHandlers</code>, is
76       * required.
77       *
78       * @see com.sun.xml.wss.impl.callback.XWSSCallback
79       * @see #setCallbackHandlers(javax.security.auth.callback.CallbackHandler[])
80       */
81      public void setCallbackHandler(CallbackHandler callbackHandler) {
82          this.callbackHandler = callbackHandler;
83      }
84  
85      /**
86       * Sets the handlers to resolve XWSS callbacks. Setting either this propery, or <code>callbackHandlers</code>, is
87       * required.
88       *
89       * @see com.sun.xml.wss.impl.callback.XWSSCallback
90       * @see #setCallbackHandler(javax.security.auth.callback.CallbackHandler)
91       */
92      public void setCallbackHandlers(CallbackHandler[] callbackHandler) {
93          this.callbackHandler = new XwssCallbackHandlerChain(callbackHandler);
94      }
95  
96      /** Sets the policy configuration to use for XWSS. Required. */
97      public void setPolicyConfiguration(Resource policyConfiguration) {
98          this.policyConfiguration = policyConfiguration;
99      }
100 
101     public void afterPropertiesSet() throws Exception {
102         Assert.notNull(policyConfiguration, "policyConfiguration is required");
103         Assert.isTrue(policyConfiguration.exists(), "policyConfiguration [" + policyConfiguration + "] does not exist");
104         Assert.notNull(callbackHandler, "callbackHandler is required");
105         XWSSProcessorFactory processorFactory = XWSSProcessorFactory.newInstance();
106         InputStream is = null;
107         try {
108             if (logger.isInfoEnabled()) {
109                 logger.info("Loading policy configuration from from '" + policyConfiguration + "'");
110             }
111             is = policyConfiguration.getInputStream();
112             processor = processorFactory.createProcessorForSecurityConfiguration(is, callbackHandler);
113         }
114         finally {
115             if (is != null) {
116                 is.close();
117             }
118         }
119     }
120 
121     /**
122      * Secures the given SoapMessage message in accordance with the defined security policy.
123      *
124      * @param soapMessage the message to be secured
125      * @throws XwsSecuritySecurementException in case of errors
126      * @throws IllegalArgumentException       when soapMessage is not a <code>SaajSoapMessage</code>
127      */
128     @Override
129     protected void secureMessage(SoapMessage soapMessage, MessageContext messageContext)
130             throws XwsSecuritySecurementException {
131         Assert.isTrue(soapMessage instanceof SaajSoapMessage, "XwsSecurityInterceptor requires a SaajSoapMessage. " +
132                 "Use a SaajSoapMessageFactory to create the SOAP messages.");
133         SaajSoapMessage saajSoapMessage = (SaajSoapMessage) soapMessage;
134         try {
135             ProcessingContext context = processor.createProcessingContext(saajSoapMessage.getSaajMessage());
136             SOAPMessage result = processor.secureOutboundMessage(context);
137             saajSoapMessage.setSaajMessage(result);
138         }
139         catch (XWSSecurityException ex) {
140             throw new XwsSecuritySecurementException(ex.getMessage(), ex);
141         }
142         catch (WssSoapFaultException ex) {
143             throw new XwsSecurityFaultException(ex.getFaultCode(), ex.getFaultString(), ex.getFaultActor());
144         }
145     }
146 
147     /**
148      * Validates the given SoapMessage message in accordance with the defined security policy.
149      *
150      * @param soapMessage the message to be validated
151      * @throws XwsSecurityValidationException in case of errors
152      * @throws IllegalArgumentException       when soapMessage is not a <code>SaajSoapMessage</code>
153      */
154     @Override
155     protected void validateMessage(SoapMessage soapMessage, MessageContext messageContext)
156             throws WsSecurityValidationException {
157         Assert.isTrue(soapMessage instanceof SaajSoapMessage, "XwsSecurityInterceptor requires a SaajSoapMessage. " +
158                 "Use a SaajSoapMessageFactory to create the SOAP messages.");
159         SaajSoapMessage saajSoapMessage = (SaajSoapMessage) soapMessage;
160         try {
161             ProcessingContext context = processor.createProcessingContext(saajSoapMessage.getSaajMessage());
162             SOAPMessage result = processor.verifyInboundMessage(context);
163             saajSoapMessage.setSaajMessage(result);
164         }
165         catch (XWSSecurityException ex) {
166             throw new XwsSecurityValidationException(ex.getMessage(), ex);
167         }
168         catch (WssSoapFaultException ex) {
169             throw new XwsSecurityFaultException(ex.getFaultCode(), ex.getFaultString(), ex.getFaultActor());
170         }
171     }
172 
173     @Override
174     protected void cleanUp() {
175         if (callbackHandler != null) {
176             try {
177                 CleanupCallback cleanupCallback = new CleanupCallback();
178                 callbackHandler.handle(new Callback[]{cleanupCallback});
179             }
180             catch (IOException ex) {
181                 logger.warn("Cleanup callback resulted in IOException", ex);
182             }
183             catch (UnsupportedCallbackException ex) {
184                 // ignore
185             }
186         }
187     }
188 }