Lastly the Policy Interceptor:
It is this class I least understand all of what it is doing.
The WSSecSmSessionToken which extends WSSecBase actually build the BST
token and puts the Siteminder session token in it and then adds it to
security header.
package com.hcsc.security.sts;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.headers.Header;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.helpers.XMLUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.security.DefaultSecurityContext;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.transport.http.AbstractHTTPDestination;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
import org.springframework.context.support.ClassPathXmlApplicationContext;
import org.w3c.dom.Element;
import javax.security.auth.Subject;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class SmSessionAssertionInterceptor extends AbstractTokenInterceptor
{
// class level logger
private static final Logger logger =
LoggerFactory.getLogger(SmSessionAssertionInterceptor.class);
// spring context
ClassPathXmlApplicationContext context;
// configuration holder
Configuration config;
public SmSessionAssertionInterceptor() {
super();
//context = new ClassPathXmlApplicationContext(new
String[]{"classpath*:applicationContext.xml"});
//config = (Configuration) context.getBean("configurationManager");
}
protected void processToken(SoapMessage soapMessage) {
// method's name
String methodName = "processToken()";
logger.info(methodName + ": entered.");
Header h = findSecurityHeader(soapMessage, false);
if (h == null)
return;
Element el = (Element) h.getObject();
Element child = DOMUtils.getFirstElement(el);
while (child != null) {
if (WSConstants.BINARY_TOKEN_LN.equals(child.getLocalName())
&& WSConstants.WSSE_NS.equals(child.getNamespaceURI())
&&
Constants.VALUE_TYPE_SMSESSION.equals(child.getAttribute(Constants.ATTR_NAME_VALUE_TYPE)))
{
try {
final SmSessionTokenPrincipal princ =
getPrincipal(child, soapMessage);
if (princ != null) {
List<WSSecurityEngineResult> v = new
ArrayList<WSSecurityEngineResult>();
int action = WSConstants.BST;
v.add(0, new WSSecurityEngineResult(action, princ,
null, null, null));
List<WSHandlerResult> results =
CastUtils.cast((List<?>) soapMessage.get(WSHandlerConstants.RECV_RESULTS));
if (results == null) {
results = new ArrayList<WSHandlerResult>();
soapMessage.put(WSHandlerConstants.RECV_RESULTS,
results);
}
WSHandlerResult rResult = new WSHandlerResult(null,
v);
results.add(0, rResult);
assertTokens(soapMessage, princ, false);
soapMessage.put(WSS4JInInterceptor.PRINCIPAL_RESULT,
princ);
SecurityContext sc =
soapMessage.get(SecurityContext.class);
if (sc == null || sc.getUserPrincipal() == null) {
Subject subject =
createSubject(princ.getName());
soapMessage.put(SecurityContext.class,
createSecurityContext(princ, subject));
}
}
}
catch (WSSecurityException ex) {
throw new Fault(ex);
}
}
child = DOMUtils.getNextElement(child);
}
logger.info(methodName + ": exiting...");
}
protected void addToken(SoapMessage soapMessage) {
// method's name
String methodName = "addToken()";
logger.info(methodName + ": entered.");
SmSessionToken token = assertTokens(soapMessage);
logger.debug(methodName + ": token: [" + token + "]");
Header h = findSecurityHeader(soapMessage, true);
logger.debug(methodName + ": h: [" + h + "]");
WSSecSmSessionToken builder = addSmSessionToken(soapMessage, token);
logger.debug(methodName + ": builder: [" + builder + "]");
if (builder == null) {
AssertionInfoMap aim = soapMessage.get(AssertionInfoMap.class);
logger.debug(methodName + ": aim: [" + aim + "]");
Collection<AssertionInfo> ais =
aim.getAssertionInfo(Constants.QN_SMSESSION_TOKEN);
logger.debug(methodName + ": ais: [" + ais + "]");
for (AssertionInfo ai : ais)
if (ai.isAsserted())
ai.setAsserted(false);
return;
}
Element el = (Element) h.getObject();
builder.prepare(el.getOwnerDocument());
el.appendChild(builder.getSmSessionTokenElement());
logger.info(methodName + ": exiting...");
}
protected WSSecSmSessionToken addSmSessionToken(SoapMessage message,
SmSessionToken token) {
// method's name
String methodName = "addSmSessionToken()";
logger.info(methodName + ": entered.");
String smSession =
"qau2xn3J4MRjG4kKVokU7In/410XJu5hS8aGPihhsAfKCVzhi/NTmG8lKMsXLBSVEsoMRBLexwSWUjT/eEFXXuk5xFPEKDAFu/uwKfwo+Ila2CydzdCppYRLE8nYUKnw9rq0KiwPWohJBkUH0asMCBrRueICl5ue3VeZA/L9MAhtX6cNbH20aNtlmqIT8E5ERIp+GxKVi60Bx4jI5DS4/znLvGOC1MYJy8n9eeK4Ddlm2qFaUuyrHFL5fcFFm1x4o1hDP3OvoUQ8aeFnTJuyQ8w0RjTjlrWA3MdSPeBQmxh2pYC4CmmyW7DtmgyrNMbPNs2Pn+YHQ2qYXMyFdxGqIenmXepFkmyqTobJ451krYRVprbUdMOi9J1spPhzpo9iApY1zgPtVOMmjGzYZkv2Vyfuo016ACNkc+TrWiyoOCjljLjMpvDRrBGG3balG7xhWV0hfaBSmrMSzn/OfFn2NG+8sCGMvHqmpuPlzq5Y0AEM+z21r7hEDTqRl8GZS1ksLsrz1D3qAN5Bl4q1fd/lKNUr4KnwCtgVuOYfhnNA/NcjboLLOPzSUPqHgkdavILA2RtXkr/Uqc7L2FEe4zfaFQfcZKsE5jB8xN86gQ4g2DRsptFR7Xmqzyqmb9Cfebj8zPfEziMdU5q+5g1E9Lv7p+pQCoHHVY5Yulb9A0/T6oj65k4JvSXNz74BzIIjVXwGXLzbS5HuEalgJNkYnbm7RdIm6zLgafSXvjripuQ6fG4ED96nYuPirn8RqQyDohLECXvEnM8ODT8D3yc/emJedvlQ88kvxZ22uS9UbSKhNqueUYOr0tyHkx0uVoCb8YcgbQMXNhUBsLvPO8jLPN0wHgxh8lCljlAeyc1wrnvARcfCaZFtmIRCz28U89ndmEdhmcJTQy2GQvwFKOHWNDKteRdPp4xn9lc5";
WSSConfig wssConfig = (WSSConfig)
message.getContextualProperty(WSSConfig.class.getName());
if (wssConfig == null) {
wssConfig = WSSConfig.getNewInstance();
}
WSSecSmSessionToken builder = new WSSecSmSessionToken(wssConfig);
builder.setTokenValue(smSession);
logger.info(methodName + ": exiting...");
return builder;
}
protected SmSessionToken assertTokens(SoapMessage soapMessage) {
// method's name
String methodName = "assertTokens()";
// return object
SmSessionToken smSessionToken = null;
logger.info(methodName + ": entered.");
try {
smSessionToken = (SmSessionToken) assertTokens(soapMessage,
Constants.QN_SMSESSION_TOKEN, true);
}
catch (Exception e) {
logger.error(methodName + ": exception caught: " +
e.getMessage());
}
finally {
logger.debug(methodName + ": exiting...");
}
return smSessionToken;
}
protected SmSessionTokenPrincipal getPrincipal(Element tokenElement,
final SoapMessage message) throws WSSecurityException {
// method's name
String methodName = "getPrincipal()";
// return object
SmSessionTokenPrincipal principal;
logger.info(methodName + ": entered.");
String smSession = null;
logger.debug(methodName + ": tokenElement: [" +
XMLUtils.toString(tokenElement) + "]");
String valueType =
tokenElement.getAttribute(Constants.ATTR_NAME_VALUE_TYPE);
logger.debug(methodName + ": valueType: [" + valueType + "]");
if (valueType != null &&
valueType.equals(Constants.VALUE_TYPE_SMSESSION))
smSession = tokenElement.getTextContent();
logger.debug(methodName + ": smSession: [" + smSession + "]");
try {
boolean isValidEcho = true;
if (!isValidEcho)
throw new WSSecurityException("SMSESSION validation
failed...");
principal = new SmSessionTokenPrincipal("eaa0001");
}
catch (Exception e) {
logger.error(methodName + ": exception caught: " +
e.getMessage());
throw new WSSecurityException(e.getMessage(), e);
}
finally {
logger.debug(methodName + ": exiting...");
}
return principal;
}
private SmSessionToken assertTokens(SoapMessage message,
SmSessionTokenPrincipal princ, boolean signed) {
// method's name
String methodName = "assertTokens()";
logger.info(methodName + ": entered.");
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais =
aim.getAssertionInfo(Constants.QN_SMSESSION_TOKEN);
SmSessionToken token = null;
for (AssertionInfo ai : ais) {
token = (SmSessionToken) ai.getAssertion();
ai.setAsserted(true);
}
ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
for (AssertionInfo ai : ais) {
ai.setAsserted(true); // this flag determines the assertion
result
}
if (signed || isTLSInUse(message)) {
ais =
aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
}
logger.info(methodName + ": exiting...");
return token;
}
protected Subject createSubject(String name) throws SecurityException {
return null;
}
protected SecurityContext createSecurityContext(final Principal p,
Subject subject) {
return new DefaultSecurityContext(p, subject);
}
}
--
View this message in context:
http://cxf.547215.n5.nabble.com/PolicyException-when-using-BST-with-custom-ValueType-tp5743444p5743552.html
Sent from the cxf-user mailing list archive at Nabble.com.
