in rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java [222:388]
private void handleMessageInternal(SoapMessage msg) throws Fault {
boolean utWithCallbacks =
MessageUtils.getContextualBoolean(msg, SecurityConstants.VALIDATE_TOKEN, true);
translateProperties(msg);
RequestData reqData = new CXFRequestData();
WSSConfig config = (WSSConfig)msg.getContextualProperty(WSSConfig.class.getName());
WSSecurityEngine engine;
if (config != null) {
engine = new WSSecurityEngine();
engine.setWssConfig(config);
} else {
engine = getSecurityEngine(utWithCallbacks);
if (engine == null) {
engine = new WSSecurityEngine();
}
config = engine.getWssConfig();
}
reqData.setWssConfig(config);
// Add Audience Restrictions for SAML
reqData.setAudienceRestrictions(SAMLUtils.getAudienceRestrictions(msg, true));
SOAPMessage doc = getSOAPMessage(msg);
boolean doDebug = LOG.isLoggable(Level.FINE);
SoapVersion version = msg.getVersion();
try {
reqData.setEncryptionSerializer(new StaxSerializer());
} catch (InvalidCanonicalizerException e) {
throw new SoapFault(new Message("SECURITY_FAILED", LOG), e, version.getReceiver());
}
if (doDebug) {
LOG.fine("WSS4JInInterceptor: enter handleMessage()");
}
/*
* The overall try, just to have a finally at the end to perform some
* housekeeping.
*/
try {
reqData.setMsgContext(msg);
reqData.setAttachmentCallbackHandler(new AttachmentCallbackHandler(msg));
setAlgorithmSuites(msg, reqData);
reqData.setCallbackHandler(getCallback(reqData, utWithCallbacks));
computeAction(msg, reqData);
String action = getAction(msg, version);
List<Integer> actions = WSSecurityUtil.decodeAction(action);
String actor = (String)getOption(ConfigurationConstants.ACTOR);
if (actor == null) {
actor = (String)msg.getContextualProperty(SecurityConstants.ACTOR);
}
reqData.setActor(actor);
// Configure replay caching
configureReplayCaches(reqData, actions, msg);
TLSSessionInfo tlsInfo = msg.get(TLSSessionInfo.class);
if (tlsInfo != null) {
Certificate[] tlsCerts = tlsInfo.getPeerCertificates();
reqData.setTlsCerts(tlsCerts);
}
/*
* Get and check the Signature specific parameters first because
* they may be used for encryption too.
*/
doReceiverAction(actions, reqData);
// Only search for and expand (Signed) XOP Elements if MTOM is enabled (and not
// explicitly specified by the user)
if (getString(ConfigurationConstants.EXPAND_XOP_INCLUDE_FOR_SIGNATURE, msg) == null
&& getString(ConfigurationConstants.EXPAND_XOP_INCLUDE, msg) == null) {
reqData.setExpandXopInclude(AttachmentUtil.isMtomEnabled(msg));
}
/*get chance to check msg context enableRevocation setting
*when use policy based ws-security where the WSHandler configuration
*isn't available
*/
boolean enableRevocation = reqData.isRevocationEnabled()
|| PropertyUtils.isTrue(SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION,
msg));
reqData.setEnableRevocation(enableRevocation);
Element soapBody = SAAJUtils.getBody(doc);
if (soapBody != null) {
engine.setCallbackLookup(new CXFCallbackLookup(soapBody.getOwnerDocument(), soapBody));
}
Element elem =
WSSecurityUtil.getSecurityHeader(doc.getSOAPHeader(), actor, version.getVersion() != 1.1);
elem = (Element)DOMUtils.getDomElement(elem);
Node originalNode = null;
if (elem != null) {
originalNode = elem.cloneNode(true);
}
WSHandlerResult wsResult = engine.processSecurityHeader(elem, reqData);
importNewDomToSAAJ(doc, elem, originalNode, wsResult);
Element header = SAAJUtils.getHeader(doc);
Element body = SAAJUtils.getBody(doc);
header = (Element)DOMUtils.getDomElement(header);
body = (Element)DOMUtils.getDomElement(body);
if (!(wsResult.getResults() == null || wsResult.getResults().isEmpty())) {
// security header found
if (reqData.isEnableSignatureConfirmation()) {
checkSignatureConfirmation(reqData, wsResult);
}
checkActions(msg, wsResult.getResults(), actions);
doResults(
msg, actor,
header,
body,
wsResult, utWithCallbacks
);
} else { // no security header found
if (doc.getSOAPPart().getEnvelope().getBody().hasFault() && isRequestor(msg)) {
LOG.warning("The request is a SOAP Fault, but it is not secured");
// We allow lax action matching here for backwards compatibility
// with manually configured WSS4JInInterceptors that previously
// allowed faults to pass through even if their actions aren't
// a strict match against those configured. In the WS-SP case,
// we will want to still call doResults as it handles asserting
// certain assertions that do not require a WS-S header such as
// a sp:TransportBinding assertion. In the case of WS-SP,
// the unasserted assertions will provide confirmation that
// security was not sufficient.
// checkActions(msg, reqData, wsResult, actions);
doResults(msg, actor,
header,
body,
wsResult, utWithCallbacks);
} else {
checkActions(msg, wsResult.getResults(), actions);
doResults(msg, actor,
header,
body,
wsResult, utWithCallbacks);
}
}
if (SAAJUtils.getBody(doc) != null) {
advanceBody(msg, body);
}
SAAJInInterceptor.replaceHeaders(doc, msg);
if (doDebug) {
LOG.fine("WSS4JInInterceptor: exit handleMessage()");
}
msg.put(SECURITY_PROCESSED, Boolean.TRUE);
} catch (WSSecurityException e) {
throw WSS4JUtils.createSoapFault(msg, version, e);
} catch (XMLStreamException e) {
throw new SoapFault(new Message("STAX_EX", LOG), e, version.getSender());
} catch (SOAPException e) {
throw new SoapFault(new Message("SAAJ_EX", LOG), e, version.getSender());
}
}