Working on SWS-207

Author: poutsma

parent/pom.xml

@@ -569,9 +569,9 @@
                 <version>1.3.0</version>
             </dependency>
             <dependency>
-                <groupId>wss4j</groupId>
+                <groupId>org.apache.ws.security</groupId>
                 <artifactId>wss4j</artifactId>
-                <version>1.5.1</version>
+                <version>1.5.4</version>
             </dependency>
             <dependency>
                 <groupId>org.acegisecurity</groupId>

pom.xml

@@ -15,7 +15,7 @@
     <url>http://static.springframework.org/spring-ws/site/index.html</url>
     <issueManagement>
         <system>JIRA</system>
-        <url>http://opensource2.atlassian.com/projects/spring/browse/SWS/</url>
+        <url>http://jira.springframework.org/browse/SWS</url>
     </issueManagement>
     <ciManagement>
         <system>bamboo</system>
@@ -49,6 +49,9 @@
         <contributor>
             <name>Rick Evans</name>
         </contributor>
+        <contributor>
+            <name>Tareq Abed Rabbo</name>
+        </contributor>
     </contributors>
     <organization>
         <name>The Spring Web Services Framework</name>

security/pom.xml

@@ -22,6 +22,11 @@
             <name>Spring External Dependencies Repository</name>
             <url>https://springframework.svn.sourceforge.net/svnroot/springframework/repos/repo-ext/</url>
         </repository>
+        <repository>
+            <id>wso2</id>
+            <name>WSO2 Repository</name>
+            <url>http://dist.wso2.org/maven2/</url>
+        </repository>
     </repositories>
     <profiles>
         <profile>
@@ -103,7 +108,17 @@
             <artifactId>saaj-impl</artifactId>
             <scope>provided</scope>
         </dependency>
-        <!-- WS-Security dependencies -->
+        <dependency>
+            <groupId>org.apache.ws.commons.axiom</groupId>
+            <artifactId>axiom-api</artifactId>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.ws.commons.axiom</groupId>
+            <artifactId>axiom-impl</artifactId>
+            <optional>true</optional>
+        </dependency>
+        <!-- XWSS dependencies -->
         <dependency>
             <groupId>com.sun.xml.wss</groupId>
             <artifactId>xws-security</artifactId>
@@ -112,6 +127,12 @@
             <groupId>xml-security</groupId>
             <artifactId>xmlsec</artifactId>
         </dependency>
+        <!-- WSS4J dependencies -->
+        <dependency>
+            <groupId>org.apache.ws.security</groupId>
+            <artifactId>wss4j</artifactId>
+        </dependency>
+        <!-- Acegi depdencies -->
         <dependency>
             <groupId>org.acegisecurity</groupId>
             <artifactId>acegi-security</artifactId>

security/src/main/java/org/springframework/ws/soap/security/AbstractWsSecurityInterceptor.java

@@ -52,7 +52,7 @@ public abstract class AbstractWsSecurityInterceptor implements SoapEndpointInter
     /** Logger available to subclasses. */
     protected final Log logger = LogFactory.getLog(getClass());
 
-    private static final QName WS_SECURITY_NAME =
+    protected static final QName WS_SECURITY_NAME =
             new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Security");
 
     private boolean secureResponse = true;
@@ -88,20 +88,20 @@ public void setValidateResponse(boolean validateResponse) {
      */
 
     /**
-     * Validates a server-side incoming request. Delegates to {@link #validateMessage(SoapMessage)} if the {@link
-     * #setValidateRequest(boolean) validateRequest} property is <code>true</code>.
+     * Validates a server-side incoming request. Delegates to {@link #validateMessage(org.springframework.ws.soap.SoapMessage,org.springframework.ws.context.MessageContext)}
+     * if the {@link #setValidateRequest(boolean) validateRequest} property is <code>true</code>.
      *
      * @param messageContext the message context, containing the request to be validated
      * @param endpoint       chosen endpoint to invoke
      * @return <code>true</code> if the request was valid; <code>false</code> otherwise.
      * @throws Exception in case of errors
-     * @see #validateMessage(SoapMessage)
+     * @see #validateMessage(org.springframework.ws.soap.SoapMessage,org.springframework.ws.context.MessageContext)
      */
     public final boolean handleRequest(MessageContext messageContext, Object endpoint) throws Exception {
         if (validateRequest) {
             Assert.isInstanceOf(SoapMessage.class, messageContext.getRequest());
             try {
-                validateMessage((SoapMessage) messageContext.getRequest());
+                validateMessage((SoapMessage) messageContext.getRequest(), messageContext);
                 return true;
             }
             catch (WsSecurityValidationException ex) {
@@ -117,21 +117,21 @@ public final boolean handleRequest(MessageContext messageContext, Object endpoin
     }
 
     /**
-     * Secures a server-side outgoing response. Delegates to {@link #secureMessage(SoapMessage)} if the {@link
-     * #setSecureResponse(boolean) secureResponse} property is <code>true</code>.
+     * Secures a server-side outgoing response. Delegates to {@link #secureMessage(org.springframework.ws.soap.SoapMessage,org.springframework.ws.context.MessageContext)}
+     * if the {@link #setSecureResponse(boolean) secureResponse} property is <code>true</code>.
      *
      * @param messageContext the message context, containing the response to be secured
      * @param endpoint       chosen endpoint to invoke
      * @return <code>true</code> if the response was secured; <code>false</code> otherwise.
      * @throws Exception in case of errors
-     * @see #secureMessage(SoapMessage)
+     * @see #secureMessage(org.springframework.ws.soap.SoapMessage,org.springframework.ws.context.MessageContext)
      */
     public final boolean handleResponse(MessageContext messageContext, Object endpoint) throws Exception {
         if (secureResponse) {
             Assert.isTrue(messageContext.hasResponse(), "MessageContext contains no response");
             Assert.isInstanceOf(SoapMessage.class, messageContext.getResponse());
             try {
-                secureMessage((SoapMessage) messageContext.getResponse());
+                secureMessage((SoapMessage) messageContext.getResponse(), messageContext);
                 return true;
             }
             catch (WsSecuritySecurementException ex) {
@@ -160,19 +160,19 @@ public boolean understands(SoapHeaderElement headerElement) {
      */
 
     /**
-     * Secures a client-side outgoing request. Delegates to {@link #secureMessage(SoapMessage)} if the {@link
-     * #setSecureRequest(boolean) secureRequest} property is <code>true</code>.
+     * Secures a client-side outgoing request. Delegates to {@link #secureMessage(org.springframework.ws.soap.SoapMessage,org.springframework.ws.context.MessageContext)}
+     * if the {@link #setSecureRequest(boolean) secureRequest} property is <code>true</code>.
      *
      * @param messageContext the message context, containing the request to be secured
      * @return <code>true</code> if the response was secured; <code>false</code> otherwise.
      * @throws Exception in case of errors
-     * @see #secureMessage(SoapMessage)
+     * @see #secureMessage(org.springframework.ws.soap.SoapMessage,org.springframework.ws.context.MessageContext)
      */
     public final boolean handleRequest(MessageContext messageContext) throws WebServiceClientException {
         if (secureRequest) {
             Assert.isInstanceOf(SoapMessage.class, messageContext.getRequest());
             try {
-                secureMessage((SoapMessage) messageContext.getRequest());
+                secureMessage((SoapMessage) messageContext.getRequest(), messageContext);
                 return true;
             }
             catch (WsSecuritySecurementException ex) {
@@ -188,20 +188,20 @@ public final boolean handleRequest(MessageContext messageContext) throws WebServ
     }
 
     /**
-     * Validates a client-side incoming response. Delegates to {@link #validateMessage(SoapMessage)} if the {@link
-     * #setValidateResponse(boolean) validateResponse} property is <code>true</code>.
+     * Validates a client-side incoming response. Delegates to {@link #validateMessage(org.springframework.ws.soap.SoapMessage,org.springframework.ws.context.MessageContext)}
+     * if the {@link #setValidateResponse(boolean) validateResponse} property is <code>true</code>.
      *
      * @param messageContext the message context, containing the response to be validated
      * @return <code>true</code> if the request was valid; <code>false</code> otherwise.
      * @throws Exception in case of errors
-     * @see #validateMessage(SoapMessage)
+     * @see #validateMessage(org.springframework.ws.soap.SoapMessage,org.springframework.ws.context.MessageContext)
      */
     public final boolean handleResponse(MessageContext messageContext) throws WebServiceClientException {
         if (validateResponse) {
             Assert.isTrue(messageContext.hasResponse(), "MessageContext contains no response");
             Assert.isInstanceOf(SoapMessage.class, messageContext.getResponse());
             try {
-                validateMessage((SoapMessage) messageContext.getResponse());
+                validateMessage((SoapMessage) messageContext.getResponse(), messageContext);
                 return true;
             }
             catch (WsSecurityValidationException ex) {
@@ -284,7 +284,8 @@ protected boolean handleFaultException(WsSecurityFaultException ex, MessageConte
      * @param soapMessage the soap message to validate
      * @throws WsSecurityValidationException in case of validation errors
      */
-    protected abstract void validateMessage(SoapMessage soapMessage) throws WsSecurityValidationException;
+    protected abstract void validateMessage(SoapMessage soapMessage, MessageContext messageContext)
+            throws WsSecurityValidationException;
 
     /**
      * Abstract template method. Subclasses are required to secure the response contained in the given {@link
@@ -293,5 +294,6 @@ protected boolean handleFaultException(WsSecurityFaultException ex, MessageConte
      * @param soapMessage the soap message to secure
      * @throws WsSecuritySecurementException in case of securement errors
      */
-    protected abstract void secureMessage(SoapMessage soapMessage) throws WsSecuritySecurementException;
+    protected abstract void secureMessage(SoapMessage soapMessage, MessageContext messageContext)
+            throws WsSecuritySecurementException;
 }

security/src/main/java/org/springframework/ws/soap/security/xwss/callback/AbstractCallbackHandler.java renamed to security/src/main/java/org/springframework/ws/soap/security/callback/AbstractCallbackHandler.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.ws.soap.security.xwss.callback;
+package org.springframework.ws.soap.security.callback;
 
 import java.io.IOException;
 import javax.security.auth.callback.Callback;

security/src/main/java/org/springframework/ws/soap/security/callback/CallbackHandlerChain.java

@@ -0,0 +1,175 @@
+/*
+ * Copyright 2006 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.ws.soap.security.callback;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import com.sun.xml.wss.impl.callback.CertificateValidationCallback;
+import com.sun.xml.wss.impl.callback.PasswordValidationCallback;
+import com.sun.xml.wss.impl.callback.TimestampValidationCallback;
+
+/**
+ * Represents a chain of <code>CallbackHandler</code>s. For each callback, each of the handlers is called in term. If a
+ * handler throws a <code>UnsupportedCallbackException</code>, the next handler is tried.
+ *
+ * @author Arjen Poutsma
+ * @since 1.0.0
+ */
+public class CallbackHandlerChain extends AbstractCallbackHandler {
+
+    private CallbackHandler[] callbackHandlers;
+
+    public CallbackHandlerChain(CallbackHandler[] callbackHandlers) {
+        this.callbackHandlers = callbackHandlers;
+    }
+
+    public void setCallbackHandlers(CallbackHandler[] callbackHandlers) {
+        this.callbackHandlers = callbackHandlers;
+    }
+
+    protected void handleInternal(Callback callback) throws IOException, UnsupportedCallbackException {
+        if (callback instanceof CertificateValidationCallback) {
+            handleCertificateValidationCallback((CertificateValidationCallback) callback);
+        }
+        else if (callback instanceof PasswordValidationCallback) {
+            handlePasswordValidationCallback((PasswordValidationCallback) callback);
+        }
+        else if (callback instanceof TimestampValidationCallback) {
+            handleTimestampValidationCallback((TimestampValidationCallback) callback);
+        }
+        else {
+            boolean allUnsupported = true;
+            for (int i = 0; i < callbackHandlers.length; i++) {
+                CallbackHandler callbackHandler = callbackHandlers[i];
+                try {
+                    callbackHandler.handle(new Callback[]{callback});
+                    allUnsupported = false;
+                }
+                catch (UnsupportedCallbackException ex) {
+                    // if an UnsupportedCallbackException occurs, go to the next handler
+                }
+            }
+            if (allUnsupported) {
+                throw new UnsupportedCallbackException(callback);
+            }
+        }
+    }
+
+    private void handleCertificateValidationCallback(CertificateValidationCallback callback) {
+        callback.setValidator(new CertificateValidatorChain(callback));
+    }
+
+    private void handlePasswordValidationCallback(PasswordValidationCallback callback) {
+        callback.setValidator(new PasswordValidatorChain(callback));
+    }
+
+    private void handleTimestampValidationCallback(TimestampValidationCallback callback) {
+        callback.setValidator(new TimestampValidatorChain(callback));
+    }
+
+    private class TimestampValidatorChain implements TimestampValidationCallback.TimestampValidator {
+
+        private TimestampValidationCallback callback;
+
+        private TimestampValidatorChain(TimestampValidationCallback callback) {
+            this.callback = callback;
+        }
+
+        public void validate(TimestampValidationCallback.Request request)
+                throws TimestampValidationCallback.TimestampValidationException {
+            for (int i = 0; i < callbackHandlers.length; i++) {
+                CallbackHandler callbackHandler = callbackHandlers[i];
+                try {
+                    callbackHandler.handle(new Callback[]{callback});
+                    callback.getResult();
+                }
+                catch (IOException e) {
+                    throw new TimestampValidationCallback.TimestampValidationException(e);
+                }
+                catch (UnsupportedCallbackException e) {
+                    // ignore
+                }
+            }
+        }
+    }
+
+    private class PasswordValidatorChain implements PasswordValidationCallback.PasswordValidator {
+
+        private PasswordValidationCallback callback;
+
+        private PasswordValidatorChain(PasswordValidationCallback callback) {
+            this.callback = callback;
+        }
+
+        public boolean validate(PasswordValidationCallback.Request request)
+                throws PasswordValidationCallback.PasswordValidationException {
+            boolean allUnsupported = true;
+            for (int i = 0; i < callbackHandlers.length; i++) {
+                CallbackHandler callbackHandler = callbackHandlers[i];
+                try {
+                    callbackHandler.handle(new Callback[]{callback});
+                    allUnsupported = false;
+                    if (!callback.getResult()) {
+                        return false;
+                    }
+                }
+                catch (IOException e) {
+                    throw new PasswordValidationCallback.PasswordValidationException(e);
+                }
+                catch (UnsupportedCallbackException e) {
+                    // ignore
+                }
+            }
+            return !allUnsupported;
+        }
+    }
+
+    private class CertificateValidatorChain implements CertificateValidationCallback.CertificateValidator {
+
+        private CertificateValidationCallback callback;
+
+        private CertificateValidatorChain(CertificateValidationCallback callback) {
+            this.callback = callback;
+        }
+
+        public boolean validate(X509Certificate certificate)
+                throws CertificateValidationCallback.CertificateValidationException {
+            boolean allUnsupported = true;
+            for (int i = 0; i < callbackHandlers.length; i++) {
+                CallbackHandler callbackHandler = callbackHandlers[i];
+                try {
+                    callbackHandler.handle(new Callback[]{callback});
+                    allUnsupported = false;
+                    if (!callback.getResult()) {
+                        return false;
+                    }
+                }
+                catch (IOException e) {
+                    throw new CertificateValidationCallback.CertificateValidationException(e);
+                }
+                catch (UnsupportedCallbackException e) {
+                    // ignore
+                }
+            }
+            return !allUnsupported;
+        }
+    }
+}