Package org.apache.cxf.ws.security.wss4j

Class AbstractUsernameTokenAuthenticatingInterceptor

  • All Implemented Interfaces:
    SoapInterceptor, Interceptor<SoapMessage>, PhaseInterceptor<SoapMessage>
    public abstract class AbstractUsernameTokenAuthenticatingInterceptor
extends WSS4JInInterceptor
    Base class providing an extensibility point for populating javax.security.auth.Subject from a current UsernameToken. WSS4J requires a password for validating digests which may not be available when external security systems provide for the authentication. This class implements WSS4J Processor interface so that it can delegate a UsernameToken validation to an external system. In order to handle digests, this class currently creates a new WSS4J Security Engine for every request. If clear text passwords are expected then a supportDigestPasswords boolean property with a false value can be used to disable creating security engines. Note that if a UsernameToken containing a clear text password has been encrypted then an application is expected to provide a password callback handler for decrypting the token only.

    • Constructor Detail

      • AbstractUsernameTokenAuthenticatingInterceptor

        public AbstractUsernameTokenAuthenticatingInterceptor()

      • AbstractUsernameTokenAuthenticatingInterceptor

        public AbstractUsernameTokenAuthenticatingInterceptor​(Map<String,​Object> properties)

    • Method Detail

      • setSupportDigestPasswords

        public void setSupportDigestPasswords​(boolean support)

      • getSupportDigestPasswords

        public boolean getSupportDigestPasswords()

      • doCreateSecurityContext

        protected SecurityContext doCreateSecurityContext​(Principal p,
                                                  Subject subject)
        Creates default SecurityContext which implements isUserInRole using the following approach : skip the first Subject principal, and then check optional Groups the principal is a member of. Subclasses can override this method and implement a custom strategy instead
        Parameters:
        p - principal
        subject - subject
        Returns:
        security context

      • setSubject

        protected void setSubject​(String name,
                          String password,
                          boolean isDigest,
                          String nonce,
                          String created)
                   throws org.apache.wss4j.common.ext.WSSecurityException
        Throws:
        org.apache.wss4j.common.ext.WSSecurityException

      • createSubject

        protected abstract Subject createSubject​(String name,
                                         String password,
                                         boolean isDigest,
                                         String nonce,
                                         String created)
                                  throws SecurityException
        Create a Subject representing a current user and its roles. This Subject is expected to contain at least one Principal representing a user and optionally followed by one or more principal Groups this user is a member of. It will also be available in doCreateSecurityContext.
        Parameters:
        name - username
        password - password
        isDigest - true if a password digest is used
        nonce - optional nonce
        created - optional timestamp
        Returns:
        subject
        Throws:
        SecurityException

      • getSecurityEngine

        protected org.apache.wss4j.dom.engine.WSSecurityEngine getSecurityEngine​(boolean utNoCallbacks)
        Overrides:
        getSecurityEngine in class WSS4JInInterceptor
        Returns:
        the WSSecurityEngine in use by this interceptor.