1
2
3
4
5
6
7
8
9
10
11 package org.mule.extras.wssecurity.handlers;
12
13 import org.mule.umo.security.SecurityException;
14
15 import java.security.cert.X509Certificate;
16 import java.util.Properties;
17 import java.util.Vector;
18
19 import javax.security.auth.callback.CallbackHandler;
20
21 import org.apache.commons.logging.Log;
22 import org.apache.commons.logging.LogFactory;
23 import org.apache.ws.security.WSConstants;
24 import org.apache.ws.security.WSSecurityEngineResult;
25 import org.apache.ws.security.WSSecurityException;
26 import org.apache.ws.security.handler.RequestData;
27 import org.apache.ws.security.handler.WSHandlerConstants;
28 import org.apache.ws.security.handler.WSHandlerResult;
29 import org.apache.ws.security.util.WSSecurityUtil;
30 import org.codehaus.xfire.MessageContext;
31 import org.codehaus.xfire.XFireRuntimeException;
32 import org.codehaus.xfire.exchange.AbstractMessage;
33 import org.codehaus.xfire.fault.XFireFault;
34 import org.codehaus.xfire.handler.Handler;
35 import org.codehaus.xfire.handler.Phase;
36 import org.codehaus.xfire.security.wss4j.AbstractWSS4JHandler;
37 import org.codehaus.xfire.soap.handler.ReadHeadersHandler;
38 import org.codehaus.xfire.util.dom.DOMInHandler;
39 import org.w3c.dom.Document;
40
41 public class MuleWSSInHandler extends AbstractWSS4JHandler implements Handler
42 {
43
44
45
46 protected static final Log log = LogFactory.getLog(MuleWSSInHandler.class);
47
48 public MuleWSSInHandler()
49 {
50 super();
51 setPhase(Phase.PARSE);
52 getBefore().add(ReadHeadersHandler.class.getName());
53 getAfter().add(DOMInHandler.class.getName());
54 }
55
56 public MuleWSSInHandler(Properties properties)
57 {
58 this();
59 setProperties(properties);
60 }
61
62
63
64
65
66 public void invoke(MessageContext msgContext)
67 throws SecurityException, XFireFault, WSSecurityException
68 {
69 boolean doDebug = log.isDebugEnabled();
70
71 if (doDebug)
72 {
73 log.debug("MuleWSSInSecurityHandler: enter invoke()");
74 }
75
76 RequestData reqData = new RequestData();
77
78 try
79 {
80 reqData.setMsgContext(msgContext);
81
82 Vector actions = new Vector();
83 String action;
84
85
86
87 if ((action = (String)getOption(WSHandlerConstants.ACTION)) == null)
88 {
89 action = getString(WSHandlerConstants.ACTION, msgContext);
90 }
91 if (action == null)
92 {
93 throw new XFireRuntimeException("MuleWSSInHandler: No action defined");
94 }
95
96 int doAction = WSSecurityUtil.decodeAction(action, actions);
97
98 String actor = (String)getOption(WSHandlerConstants.ACTOR);
99
100 AbstractMessage sm = msgContext.getCurrentMessage();
101 Document doc = (Document)sm.getProperty(DOMInHandler.DOM_MESSAGE);
102
103 if (doc == null)
104 throw new XFireRuntimeException("DOMInHandler must be enabled for WS-Security!");
105
106
107 if (sm.getBody() instanceof XFireFault) return;
108
109
110 CallbackHandler cbHandler = null;
111 if ((doAction & (WSConstants.ENCR | WSConstants.UT)) != 0)
112 {
113 cbHandler = getPasswordCB(reqData);
114 }
115
116
117
118 doReceiverAction(doAction, reqData);
119
120
121
122 if (action.equals(WSHandlerConstants.SAML_TOKEN_SIGNED))
123 {
124 reqData.setSigCrypto(loadSignatureCrypto(reqData));
125 }
126
127 Vector wsResult;
128
129
130 try
131 {
132 wsResult = secEngine.processSecurityHeader(doc, actor, cbHandler, reqData
133 .getSigCrypto(), reqData.getDecCrypto());
134 }
135 catch (WSSecurityException ex)
136 {
137 throw new XFireFault("MuleWSSInHandler: security processing failed: " + ex.toString(), ex,
138 XFireFault.SENDER);
139 }
140
141
142
143 if (wsResult == null)
144 {
145 if (doAction == WSConstants.NO_SECURITY)
146 {
147 return;
148 }
149 else
150 {
151 throw new XFireFault(
152 "MuleWSSInHandler: Request does not contain required Security header",
153 XFireFault.SENDER);
154 }
155 }
156
157
158 if (reqData.getWssConfig().isEnableSignatureConfirmation())
159 {
160 checkSignatureConfirmation(reqData, wsResult);
161 }
162
163
164 WSSecurityEngineResult actionResult = WSSecurityUtil.fetchActionResult(wsResult,
165 WSConstants.SIGN);
166
167 if (actionResult != null)
168 {
169 X509Certificate returnCert = actionResult.getCertificate();
170
171 if (returnCert != null)
172 {
173 if (!verifyTrust(returnCert, reqData))
174 {
175 throw new XFireFault(
176 "MuleWSSInHandler: The certificate used for the signature is not trusted",
177 XFireFault.SENDER);
178 }
179 }
180 }
181
182 if (actions.elementAt(0).equals(new Integer(16)))
183 {
184 actions.clear();
185 actions.add(new Integer(2));
186 actions.add(new Integer(8));
187 }
188
189
190 if (!checkReceiverResults(wsResult, actions))
191 {
192 throw new XFireFault(
193 "MuleWSSInHandler: security processing failed (actions mismatch)",
194 XFireFault.SENDER);
195
196 }
197
198
199
200
201 Vector results;
202 if ((results = (Vector)msgContext.getProperty(WSHandlerConstants.RECV_RESULTS)) == null)
203 {
204 results = new Vector();
205 msgContext.setProperty(WSHandlerConstants.RECV_RESULTS, results);
206 }
207 WSHandlerResult rResult = new WSHandlerResult(actor, wsResult);
208 results.add(0, rResult);
209
210 if (doDebug)
211 {
212 log.debug("MuleWSSInHandler: exit invoke()");
213 }
214 }
215 catch (WSSecurityException e)
216 {
217 throw new WSSecurityException(e.getErrorCode());
218 }
219 finally
220 {
221 reqData.clear();
222 reqData = null;
223 }
224 }
225 }