Fixed SWS-285 in 1.0 branch

Author: poutsma

security/src/main/java/org/springframework/ws/soap/security/AbstractWsSecurityInterceptor.java

@@ -88,29 +88,35 @@ public final boolean handleRequest(MessageContext messageContext, Object endpoin
     }
 
     public final boolean handleResponse(MessageContext messageContext, Object endpoint) throws Exception {
-        if (secureResponse) {
-            Assert.isTrue(messageContext.getResponse() instanceof SoapMessage,
-                    "WsSecurityInterceptor requires a SoapMessage response");
-            try {
-                secureMessage((SoapMessage) messageContext.getResponse());
-                return true;
-            }
-            catch (WsSecuritySecurementException ex) {
-                return handleSecurementException(ex, messageContext);
+        try {
+            if (secureResponse) {
+                Assert.isTrue(messageContext.hasResponse(), "MessageContext contains no response");
+                Assert.isInstanceOf(SoapMessage.class, messageContext.getResponse());
+                try {
+                    secureMessage((SoapMessage) messageContext.getResponse());
+                    return true;
+                }
+                catch (WsSecuritySecurementException ex) {
+                    return handleSecurementException(ex, messageContext);
+                }
+                catch (WsSecurityFaultException ex) {
+                    return handleFaultException(ex, messageContext);
+                }
             }
-            catch (WsSecurityFaultException ex) {
-                return handleFaultException(ex, messageContext);
+            else {
+                return true;
             }
         }
-        else {
-            return true;
+        finally {
+            cleanUp();
         }
     }
 
     /**
      * Returns <code>true</code>, i.e. faults are not secured.
      */
     public boolean handleFault(MessageContext messageContext, Object endpoint) throws Exception {
+        cleanUp();
         return true;
     }
 
@@ -191,4 +197,6 @@ protected boolean handleFaultException(WsSecurityFaultException ex, MessageConte
      * @throws WsSecuritySecurementException in case of securement errors
      */
     protected abstract void secureMessage(SoapMessage soapMessage) throws WsSecuritySecurementException;
+
+    protected abstract void cleanUp();
 }

security/src/main/java/org/springframework/ws/soap/security/xwss/XwsSecurityInterceptor.java

@@ -16,8 +16,11 @@
 
 package org.springframework.ws.soap.security.xwss;
 
+import java.io.IOException;
 import java.io.InputStream;
+import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.xml.soap.SOAPMessage;
 
 import com.sun.xml.wss.ProcessingContext;
@@ -33,6 +36,7 @@
 import org.springframework.ws.soap.security.AbstractWsSecurityInterceptor;
 import org.springframework.ws.soap.security.WsSecurityValidationException;
 import org.springframework.ws.soap.security.xwss.callback.CallbackHandlerChain;
+import org.springframework.ws.soap.security.xwss.callback.CleanupCallback;
 
 /**
  * WS-Security endpoint interceptor  that is based on Sun's XML and Web Services Security package (XWSS). This
@@ -162,4 +166,18 @@ protected void validateMessage(SoapMessage soapMessage) throws WsSecurityValidat
         }
     }
 
+    protected void cleanUp() {
+        if (callbackHandler != null) {
+            try {
+                CleanupCallback cleanupCallback = new CleanupCallback();
+                callbackHandler.handle(new Callback[]{cleanupCallback});
+            }
+            catch (IOException ex) {
+                logger.warn("Cleanup callback resulted in IOException", ex);
+            }
+            catch (UnsupportedCallbackException ex) {
+                // ignore
+            }
+        }
+    }
 }

security/src/main/java/org/springframework/ws/soap/security/xwss/callback/CleanupCallback.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2008 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.ws.soap.security.xwss.callback;
+
+import java.io.Serializable;
+import javax.security.auth.callback.Callback;
+
+/**
+ * Underlying security services instantiate and pass a <code>CleanupCallback</code> to the <code>handle</code> method of
+ * a <code>CallbackHandler</code> to clean up security state.
+ *
+ * @author Arjen Poutsma
+ * @since 1.0.4
+ */
+public class CleanupCallback implements Callback, Serializable {
+
+    private static final long serialVersionUID = 4744181820980888237L;
+
+}

security/src/main/java/org/springframework/ws/soap/security/xwss/callback/acegi/AcegiCertificateValidationCallbackHandler.java

@@ -29,6 +29,7 @@
 import org.acegisecurity.providers.x509.X509AuthenticationToken;
 import org.springframework.util.Assert;
 import org.springframework.ws.soap.security.xwss.callback.AbstractCallbackHandler;
+import org.springframework.ws.soap.security.xwss.callback.CleanupCallback;
 
 /**
  * Callback handler that validates a certificate using an Acegi <code>AuthenticationManager</code>. Logic based on
@@ -78,6 +79,9 @@ protected void handleInternal(Callback callback) throws IOException, Unsupported
         if (callback instanceof CertificateValidationCallback) {
             ((CertificateValidationCallback) callback).setValidator(new AcegiCertificateValidator());
         }
+        else if (callback instanceof CleanupCallback) {
+            SecurityContextHolder.clearContext();
+        }
         else {
             throw new UnsupportedCallbackException(callback);
         }
@@ -103,7 +107,7 @@ public boolean validate(X509Certificate certificate)
                     logger.debug("Authentication request for certificate with DN [" +
                             certificate.getSubjectX500Principal().getName() + "] failed: " + failed.toString());
                 }
-                SecurityContextHolder.getContext().setAuthentication(null);
+                SecurityContextHolder.clearContext();
                 result = ignoreFailure;
             }
             return result;

security/src/main/java/org/springframework/ws/soap/security/xwss/callback/acegi/AcegiDigestPasswordValidationCallbackHandler.java

@@ -32,6 +32,7 @@
 import org.springframework.dao.DataAccessException;
 import org.springframework.util.Assert;
 import org.springframework.ws.soap.security.xwss.callback.AbstractCallbackHandler;
+import org.springframework.ws.soap.security.xwss.callback.CleanupCallback;
 import org.springframework.ws.soap.security.xwss.callback.DefaultTimestampValidator;
 
 /**
@@ -98,6 +99,10 @@ else if (callback instanceof TimestampValidationCallback) {
             timestampCallback.setValidator(new DefaultTimestampValidator());
 
         }
+        else if (callback instanceof CleanupCallback) {
+            SecurityContextHolder.clearContext();
+            return;
+        }
         throw new UnsupportedCallbackException(callback);
     }
 

security/src/main/java/org/springframework/ws/soap/security/xwss/callback/acegi/AcegiPlainTextPasswordValidationCallbackHandler.java

@@ -28,6 +28,7 @@
 import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import org.springframework.util.Assert;
 import org.springframework.ws.soap.security.xwss.callback.AbstractCallbackHandler;
+import org.springframework.ws.soap.security.xwss.callback.CleanupCallback;
 
 /**
  * Callback handler that validates a certificate uses an Acegi <code>AuthenticationManager</code>. Logic based on
@@ -80,6 +81,10 @@ protected void handleInternal(Callback callback) throws IOException, Unsupported
                 return;
             }
         }
+        else if (callback instanceof CleanupCallback) {
+            SecurityContextHolder.clearContext();
+            return;
+        }
         throw new UnsupportedCallbackException(callback);
     }
 
@@ -103,7 +108,7 @@ public boolean validate(PasswordValidationCallback.Request request)
                     logger.debug("Authentication request for user '" + plainTextRequest.getUsername() + "' failed: " +
                             failed.toString());
                 }
-                SecurityContextHolder.getContext().setAuthentication(null);
+                SecurityContextHolder.clearContext();
                 return ignoreFailure;
             }
         }

security/src/main/java/org/springframework/ws/soap/security/xwss/callback/jaas/JaasCertificateValidationCallbackHandler.java

@@ -58,9 +58,9 @@ private class JaasCertificateValidator implements CertificateValidationCallback.
 
         public boolean validate(X509Certificate certificate)
                 throws CertificateValidationCallback.CertificateValidationException {
-            LoginContext loginContext = null;
             Subject subject = new Subject();
             subject.getPrincipals().add(certificate.getSubjectX500Principal());
+            LoginContext loginContext;
             try {
                 loginContext = new LoginContext(getLoginContextName(), subject);
             }

security/src/test/java/org/springframework/ws/soap/security/xwss/XwsSecurityInterceptorTest.java

@@ -74,8 +74,9 @@ protected void validateMessage(SoapMessage soapMessage) throws WsSecurityValidat
         SOAPMessage request = messageFactory.createMessage();
         MessageContext context =
                 new DefaultMessageContext(new SaajSoapMessage(request), new SaajSoapMessageFactory(messageFactory));
+        context.getResponse();
         interceptor.handleResponse(context, null);
         assertEquals("Invalid response", securedResponse, ((SaajSoapMessage) context.getResponse()).getSaajMessage());
     }
 
-}
+}

security/src/test/java/org/springframework/ws/soap/security/xwss/callback/acegi/AcegiCertificateValidationCallbackHandlerTest.java

@@ -25,11 +25,13 @@
 import org.acegisecurity.AuthenticationManager;
 import org.acegisecurity.BadCredentialsException;
 import org.acegisecurity.GrantedAuthority;
+import org.acegisecurity.context.SecurityContextHolder;
 import org.acegisecurity.providers.TestingAuthenticationToken;
 import org.acegisecurity.providers.x509.X509AuthenticationToken;
 import org.easymock.MockControl;
 
 import org.springframework.core.io.ClassPathResource;
+import org.springframework.ws.soap.security.xwss.callback.CleanupCallback;
 
 public class AcegiCertificateValidationCallbackHandlerTest extends TestCase {
 
@@ -63,6 +65,10 @@ protected void setUp() throws Exception {
         callback = new CertificateValidationCallback(certificate);
     }
 
+    protected void tearDown() throws Exception {
+        SecurityContextHolder.clearContext();
+    }
+
     public void testValidateCertificateValid() throws Exception {
         mock.authenticate(new X509AuthenticationToken(certificate));
         control.setMatcher(MockControl.ALWAYS_MATCHER);
@@ -71,6 +77,7 @@ public void testValidateCertificateValid() throws Exception {
         callbackHandler.handleInternal(callback);
         boolean authenticated = callback.getResult();
         assertTrue("Not authenticated", authenticated);
+        assertNotNull("No Authentication created", SecurityContextHolder.getContext().getAuthentication());
         control.verify();
     }
 
@@ -82,7 +89,18 @@ public void testValidateCertificateInvalid() throws Exception {
         callbackHandler.handleInternal(callback);
         boolean authenticated = callback.getResult();
         assertFalse("Authenticated", authenticated);
+        assertNull("Authentication created", SecurityContextHolder.getContext().getAuthentication());
         control.verify();
     }
 
-}
+    public void testCleanUp() throws Exception {
+        TestingAuthenticationToken authentication =
+                new TestingAuthenticationToken(new Object(), new Object(), new GrantedAuthority[0]);
+        SecurityContextHolder.getContext().setAuthentication(authentication);
+
+        CleanupCallback cleanupCallback = new CleanupCallback();
+        callbackHandler.handleInternal(cleanupCallback);
+        assertNull("Authentication created", SecurityContextHolder.getContext().getAuthentication());
+    }
+
+}

security/src/test/java/org/springframework/ws/soap/security/xwss/callback/acegi/AcegiDigestPasswordValidationCallbackHandlerTest.java

@@ -19,11 +19,15 @@
 import com.sun.xml.wss.impl.callback.PasswordValidationCallback;
 import junit.framework.TestCase;
 import org.acegisecurity.GrantedAuthority;
+import org.acegisecurity.context.SecurityContextHolder;
+import org.acegisecurity.providers.TestingAuthenticationToken;
 import org.acegisecurity.userdetails.User;
 import org.acegisecurity.userdetails.UserDetailsService;
 import org.acegisecurity.userdetails.UsernameNotFoundException;
 import org.easymock.MockControl;
 
+import org.springframework.ws.soap.security.xwss.callback.CleanupCallback;
+
 public class AcegiDigestPasswordValidationCallbackHandlerTest extends TestCase {
 
     private AcegiDigestPasswordValidationCallbackHandler callbackHandler;
@@ -53,12 +57,17 @@ protected void setUp() throws Exception {
         callback = new PasswordValidationCallback(request);
     }
 
+    protected void tearDown() throws Exception {
+        SecurityContextHolder.clearContext();
+    }
+
     public void testAuthenticateUserDigestUserNotFound() throws Exception {
         control.expectAndThrow(mock.loadUserByUsername(username), new UsernameNotFoundException(username));
         control.replay();
         callbackHandler.handleInternal(callback);
         boolean authenticated = callback.getResult();
         assertFalse("Authenticated", authenticated);
+        assertNull("Authentication created", SecurityContextHolder.getContext().getAuthentication());
         control.verify();
     }
 
@@ -69,6 +78,7 @@ public void testAuthenticateUserDigestValid() throws Exception {
         callbackHandler.handleInternal(callback);
         boolean authenticated = callback.getResult();
         assertTrue("Not authenticated", authenticated);
+        assertNotNull("No Authentication created", SecurityContextHolder.getContext().getAuthentication());
         control.verify();
     }
 
@@ -79,6 +89,18 @@ public void testAuthenticateUserDigestValidInvalid() throws Exception {
         callbackHandler.handleInternal(callback);
         boolean authenticated = callback.getResult();
         assertFalse("Authenticated", authenticated);
+        assertNull("Authentication created", SecurityContextHolder.getContext().getAuthentication());
         control.verify();
     }
-}
+
+    public void testCleanUp() throws Exception {
+        TestingAuthenticationToken authentication =
+                new TestingAuthenticationToken(new Object(), new Object(), new GrantedAuthority[0]);
+        SecurityContextHolder.getContext().setAuthentication(authentication);
+
+        CleanupCallback cleanupCallback = new CleanupCallback();
+        callbackHandler.handleInternal(cleanupCallback);
+        assertNull("Authentication created", SecurityContextHolder.getContext().getAuthentication());
+    }
+
+}

security/src/test/java/org/springframework/ws/soap/security/xwss/callback/acegi/AcegiPlainTextPasswordValidationCallbackHandlerTest.java

@@ -22,10 +22,13 @@
 import org.acegisecurity.AuthenticationManager;
 import org.acegisecurity.BadCredentialsException;
 import org.acegisecurity.GrantedAuthority;
+import org.acegisecurity.context.SecurityContextHolder;
 import org.acegisecurity.providers.TestingAuthenticationToken;
 import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import org.easymock.MockControl;
 
+import org.springframework.ws.soap.security.xwss.callback.CleanupCallback;
+
 public class AcegiPlainTextPasswordValidationCallbackHandlerTest extends TestCase {
 
     private AcegiPlainTextPasswordValidationCallbackHandler callbackHandler;
@@ -52,6 +55,10 @@ protected void setUp() throws Exception {
         callback = new PasswordValidationCallback(request);
     }
 
+    protected void tearDown() throws Exception {
+        SecurityContextHolder.clearContext();
+    }
+
     public void testAuthenticateUserPlainTextValid() throws Exception {
         Authentication authResult = new TestingAuthenticationToken(username, password, new GrantedAuthority[0]);
         control.expectAndReturn(mock.authenticate(new UsernamePasswordAuthenticationToken(username, password)),
@@ -60,6 +67,7 @@ public void testAuthenticateUserPlainTextValid() throws Exception {
         callbackHandler.handleInternal(callback);
         boolean authenticated = callback.getResult();
         assertTrue("Not authenticated", authenticated);
+        assertNotNull("No Authentication created", SecurityContextHolder.getContext().getAuthentication());
         control.verify();
     }
 
@@ -70,7 +78,18 @@ public void testAuthenticateUserPlainTextInvalid() throws Exception {
         callbackHandler.handleInternal(callback);
         boolean authenticated = callback.getResult();
         assertFalse("Authenticated", authenticated);
+        assertNull("Authentication created", SecurityContextHolder.getContext().getAuthentication());
         control.verify();
     }
 
-}
+    public void testCleanUp() throws Exception {
+        TestingAuthenticationToken authentication =
+                new TestingAuthenticationToken(new Object(), new Object(), new GrantedAuthority[0]);
+        SecurityContextHolder.getContext().setAuthentication(authentication);
+
+        CleanupCallback cleanupCallback = new CleanupCallback();
+        callbackHandler.handleInternal(cleanupCallback);
+        assertNull("Authentication created", SecurityContextHolder.getContext().getAuthentication());
+    }
+
+}