Skip to content


WS-Security for SOAP

You can read more about CXF security configuration at Apache CXF Documentation > Index > WS-* Support > WS-Security
I implemented WS-security by extending WSS4JInInterceptor and injecting AuthenticationManager to it.

CompanyWSS4JInInterceptor

This is first part

package com.company.auth.service;

import java.util.Map;
import java.util.Vector;

import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.Authentication;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.providers.AuthenticationProvider;
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
import org.springframework.util.Assert;

public class CompanyWSS4JInInterceptor extends WSS4JInInterceptor implements InitializingBean
{
	AuthenticationProvider	authenticationProvider;

	public CompanyWSS4JInInterceptor()
	{
		super();
	}

	public CompanyWSS4JInInterceptor(final Map<String, Object> properties)
	{
		super(properties);
	}

	public void setAuthenticationProvider(final AuthenticationProvider authenticationProvider)
	{
		this.authenticationProvider = authenticationProvider;
	}

	@Override
	public void handleMessage(final SoapMessage message) throws Fault
	{
		try
		{
			super.handleMessage(message);
			final Vector<WSHandlerResult> result = (Vector<WSHandlerResult>) message
					.getContextualProperty(WSHandlerConstants.RECV_RESULTS);
			if ((result != null) && !result.isEmpty())
			{
				for (final WSHandlerResult res : result)
				{
					// loop through security engine results
					for (final WSSecurityEngineResult securityResult : (Vector<WSSecurityEngineResult>) res
							.getResults())
					{
						final int action = (Integer) securityResult
								.get(WSSecurityEngineResult.TAG_ACTION);
						// determine if the action was a username token
						if ((action & WSConstants.UT) > 0)
						{
							// get the principal object
							final WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal) securityResult
									.get(WSSecurityEngineResult.TAG_PRINCIPAL);
							if (principal.getPassword() == null)
							{
								principal.setPassword("");
							}
							Authentication authentication = new UsernamePasswordAuthenticationToken(
									principal.getName(), principal.getPassword());
							authentication = authenticationProvider.authenticate(authentication);
							if (!authentication.isAuthenticated())
							{
								System.out.println("This user is not authentic.");
							}
							SecurityContextHolder.getContext().setAuthentication(authentication);
						}
					}
				}
			}
		}
		catch (final RuntimeException ex)
		{
			ex.printStackTrace();
			throw ex;
		}
	}

	@Override
	public void afterPropertiesSet() throws Exception
	{
		Assert.notNull(authenticationProvider, "Authentication provider must be set");
		Assert.notNull(getProperties(), "Interceptor properties must be set, even if empty");
	}

}

ServerPasswordCallback

package com.company.auth.service;

import java.io.IOException;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

import org.apache.ws.security.WSPasswordCallback;

public class ServerPasswordCallback implements CallbackHandler
{

	public void handle(final Callback[] callbacks) throws IOException, UnsupportedCallbackException
	{

		final WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
		pc.setPassword(pc.getPassword());
	}
}

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

You must be logged in to post a comment.