Ok, what you have done sounds about right. As the SiteMinder token thing is not standard, CXF will not parse that policy and hence policy validation fails.
Colm. On Wed, Apr 30, 2014 at 11:05 PM, jeffc <[email protected]> wrote: > Lastly the Policy Interceptor: > > It is this class I least understand all of what it is doing. > The WSSecSmSessionToken which extends WSSecBase actually build the BST > token and puts the Siteminder session token in it and then adds it to > security header. > > package com.hcsc.security.sts; > > import org.apache.cxf.binding.soap.SoapMessage; > import org.apache.cxf.headers.Header; > import org.apache.cxf.helpers.CastUtils; > import org.apache.cxf.helpers.DOMUtils; > import org.apache.cxf.helpers.XMLUtils; > import org.apache.cxf.interceptor.Fault; > import org.apache.cxf.interceptor.security.DefaultSecurityContext; > import org.apache.cxf.security.SecurityContext; > import org.apache.cxf.transport.http.AbstractHTTPDestination; > import org.apache.cxf.ws.policy.AssertionInfo; > import org.apache.cxf.ws.policy.AssertionInfoMap; > import org.apache.cxf.ws.security.policy.SP12Constants; > import org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor; > import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; > import org.apache.ws.security.WSConstants; > import org.apache.ws.security.WSSConfig; > import org.apache.ws.security.WSSecurityEngineResult; > import org.apache.ws.security.WSSecurityException; > import org.apache.ws.security.handler.WSHandlerConstants; > import org.apache.ws.security.handler.WSHandlerResult; > import org.springframework.context.support.ClassPathXmlApplicationContext; > import org.w3c.dom.Element; > import javax.security.auth.Subject; > import javax.servlet.http.Cookie; > import javax.servlet.http.HttpServletRequest; > import java.security.Principal; > import java.util.ArrayList; > import java.util.Collection; > import java.util.List; > import org.slf4j.Logger; > import org.slf4j.LoggerFactory; > > > public class SmSessionAssertionInterceptor extends AbstractTokenInterceptor > { > // class level logger > private static final Logger logger = > LoggerFactory.getLogger(SmSessionAssertionInterceptor.class); > // spring context > ClassPathXmlApplicationContext context; > // configuration holder > Configuration config; > > public SmSessionAssertionInterceptor() { > super(); > //context = new ClassPathXmlApplicationContext(new > String[]{"classpath*:applicationContext.xml"}); > > //config = (Configuration) context.getBean("configurationManager"); > } > > protected void processToken(SoapMessage soapMessage) { > // method's name > String methodName = "processToken()"; > > logger.info(methodName + ": entered."); > > Header h = findSecurityHeader(soapMessage, false); > if (h == null) > return; > > Element el = (Element) h.getObject(); > Element child = DOMUtils.getFirstElement(el); > while (child != null) { > if (WSConstants.BINARY_TOKEN_LN.equals(child.getLocalName()) > && WSConstants.WSSE_NS.equals(child.getNamespaceURI()) > && > > Constants.VALUE_TYPE_SMSESSION.equals(child.getAttribute(Constants.ATTR_NAME_VALUE_TYPE))) > { > try { > final SmSessionTokenPrincipal princ = > getPrincipal(child, soapMessage); > > if (princ != null) { > List<WSSecurityEngineResult> v = new > ArrayList<WSSecurityEngineResult>(); > > int action = WSConstants.BST; > > v.add(0, new WSSecurityEngineResult(action, princ, > null, null, null)); > List<WSHandlerResult> results = > CastUtils.cast((List<?>) soapMessage.get(WSHandlerConstants.RECV_RESULTS)); > > if (results == null) { > results = new ArrayList<WSHandlerResult>(); > > soapMessage.put(WSHandlerConstants.RECV_RESULTS, > results); > } > > WSHandlerResult rResult = new WSHandlerResult(null, > v); > results.add(0, rResult); > > assertTokens(soapMessage, princ, false); > > soapMessage.put(WSS4JInInterceptor.PRINCIPAL_RESULT, > princ); > > SecurityContext sc = > soapMessage.get(SecurityContext.class); > > if (sc == null || sc.getUserPrincipal() == null) { > Subject subject = > createSubject(princ.getName()); > soapMessage.put(SecurityContext.class, > createSecurityContext(princ, subject)); > } > } > } > catch (WSSecurityException ex) { > throw new Fault(ex); > } > } > child = DOMUtils.getNextElement(child); > } > > logger.info(methodName + ": exiting..."); > } > > protected void addToken(SoapMessage soapMessage) { > // method's name > String methodName = "addToken()"; > > logger.info(methodName + ": entered."); > > SmSessionToken token = assertTokens(soapMessage); > logger.debug(methodName + ": token: [" + token + "]"); > > Header h = findSecurityHeader(soapMessage, true); > logger.debug(methodName + ": h: [" + h + "]"); > > WSSecSmSessionToken builder = addSmSessionToken(soapMessage, > token); > logger.debug(methodName + ": builder: [" + builder + "]"); > > if (builder == null) { > AssertionInfoMap aim = soapMessage.get(AssertionInfoMap.class); > logger.debug(methodName + ": aim: [" + aim + "]"); > Collection<AssertionInfo> ais = > aim.getAssertionInfo(Constants.QN_SMSESSION_TOKEN); > logger.debug(methodName + ": ais: [" + ais + "]"); > > for (AssertionInfo ai : ais) > if (ai.isAsserted()) > ai.setAsserted(false); > > return; > } > > Element el = (Element) h.getObject(); > builder.prepare(el.getOwnerDocument()); > el.appendChild(builder.getSmSessionTokenElement()); > > logger.info(methodName + ": exiting..."); > } > > protected WSSecSmSessionToken addSmSessionToken(SoapMessage message, > SmSessionToken token) { > // method's name > String methodName = "addSmSessionToken()"; > > logger.info(methodName + ": entered."); > > String smSession = > > "qau2xn3J4MRjG4kKVokU7In/410XJu5hS8aGPihhsAfKCVzhi/NTmG8lKMsXLBSVEsoMRBLexwSWUjT/eEFXXuk5xFPEKDAFu/uwKfwo+Ila2CydzdCppYRLE8nYUKnw9rq0KiwPWohJBkUH0asMCBrRueICl5ue3VeZA/L9MAhtX6cNbH20aNtlmqIT8E5ERIp+GxKVi60Bx4jI5DS4/znLvGOC1MYJy8n9eeK4Ddlm2qFaUuyrHFL5fcFFm1x4o1hDP3OvoUQ8aeFnTJuyQ8w0RjTjlrWA3MdSPeBQmxh2pYC4CmmyW7DtmgyrNMbPNs2Pn+YHQ2qYXMyFdxGqIenmXepFkmyqTobJ451krYRVprbUdMOi9J1spPhzpo9iApY1zgPtVOMmjGzYZkv2Vyfuo016ACNkc+TrWiyoOCjljLjMpvDRrBGG3balG7xhWV0hfaBSmrMSzn/OfFn2NG+8sCGMvHqmpuPlzq5Y0AEM+z21r7hEDTqRl8GZS1ksLsrz1D3qAN5Bl4q1fd/lKNUr4KnwCtgVuOYfhnNA/NcjboLLOPzSUPqHgkdavILA2RtXkr/Uqc7L2FEe4zfaFQfcZKsE5jB8xN86gQ4g2DRsptFR7Xmqzyqmb9Cfebj8zPfEziMdU5q+5g1E9Lv7p+pQCoHHVY5Yulb9A0/T6oj65k4JvSXNz74BzIIjVXwGXLzbS5HuEalgJNkYnbm7RdIm6zLgafSXvjripuQ6fG4ED96nYuPirn8RqQyDohLECXvEnM8ODT8D3yc/emJedvlQ88kvxZ22uS9UbSKhNqueUYOr0tyHkx0uVoCb8YcgbQMXNhUBsLvPO8jLPN0wHgxh8lCljlAeyc1wrnvARcfCaZFtmIRCz28U89ndmEdhmcJTQy2GQvwFKOHWNDKteRdPp4xn9lc5"; > > WSSConfig wssConfig = (WSSConfig) > message.getContextualProperty(WSSConfig.class.getName()); > if (wssConfig == null) { > wssConfig = WSSConfig.getNewInstance(); > } > > WSSecSmSessionToken builder = new WSSecSmSessionToken(wssConfig); > > builder.setTokenValue(smSession); > > logger.info(methodName + ": exiting..."); > > return builder; > } > > > protected SmSessionToken assertTokens(SoapMessage soapMessage) { > // method's name > String methodName = "assertTokens()"; > // return object > SmSessionToken smSessionToken = null; > > logger.info(methodName + ": entered."); > > try { > smSessionToken = (SmSessionToken) assertTokens(soapMessage, > Constants.QN_SMSESSION_TOKEN, true); > } > catch (Exception e) { > logger.error(methodName + ": exception caught: " + > e.getMessage()); > } > finally { > logger.debug(methodName + ": exiting..."); > } > > return smSessionToken; > } > > protected SmSessionTokenPrincipal getPrincipal(Element tokenElement, > final SoapMessage message) throws WSSecurityException { > // method's name > String methodName = "getPrincipal()"; > // return object > SmSessionTokenPrincipal principal; > > logger.info(methodName + ": entered."); > > String smSession = null; > > logger.debug(methodName + ": tokenElement: [" + > XMLUtils.toString(tokenElement) + "]"); > > String valueType = > tokenElement.getAttribute(Constants.ATTR_NAME_VALUE_TYPE); > logger.debug(methodName + ": valueType: [" + valueType + "]"); > > if (valueType != null && > valueType.equals(Constants.VALUE_TYPE_SMSESSION)) > smSession = tokenElement.getTextContent(); > > logger.debug(methodName + ": smSession: [" + smSession + "]"); > > try { > boolean isValidEcho = true; > > if (!isValidEcho) > throw new WSSecurityException("SMSESSION validation > failed..."); > > principal = new SmSessionTokenPrincipal("eaa0001"); > } > catch (Exception e) { > logger.error(methodName + ": exception caught: " + > e.getMessage()); > throw new WSSecurityException(e.getMessage(), e); > } > finally { > logger.debug(methodName + ": exiting..."); > } > > return principal; > } > > private SmSessionToken assertTokens(SoapMessage message, > SmSessionTokenPrincipal princ, boolean signed) { > // method's name > String methodName = "assertTokens()"; > > logger.info(methodName + ": entered."); > > AssertionInfoMap aim = message.get(AssertionInfoMap.class); > Collection<AssertionInfo> ais = > aim.getAssertionInfo(Constants.QN_SMSESSION_TOKEN); > > SmSessionToken token = null; > for (AssertionInfo ai : ais) { > token = (SmSessionToken) ai.getAssertion(); > ai.setAsserted(true); > } > > ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS); > for (AssertionInfo ai : ais) { > ai.setAsserted(true); // this flag determines the assertion > result > } > > if (signed || isTLSInUse(message)) { > ais = > aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS); > for (AssertionInfo ai : ais) { > ai.setAsserted(true); > } > } > > logger.info(methodName + ": exiting..."); > > return token; > } > > protected Subject createSubject(String name) throws SecurityException { > return null; > } > > protected SecurityContext createSecurityContext(final Principal p, > Subject subject) { > return new DefaultSecurityContext(p, subject); > } > } > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/PolicyException-when-using-BST-with-custom-ValueType-tp5743444p5743552.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
