Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-884

Wss4jSecurityInterceptor, don't remove Security Header.

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 2.2.0.RELEASE
    • Fix Version/s: 2.2.1
    • Component/s: Security
    • Labels:
      None

      Description

      When Wss4jSecurityInterceptor.validateMessage successfully validates an incoming message, it automatically removes the Security element from the SOAP header.

      It would be nice to have an option to disable this functionality, so that the Security Element is left intact, so that the elements contained within (mainly X.509 certificates) can be accessed later on.

      There's one line of code to "change" - Wss4jSecurityInterceptor.java:634:
      soapMessage.getEnvelope().getHeader().removeHeaderElement(WS_SECURITY_NAME);

        Activity

        jinie Jimmy Selgen Nielsen created issue -
        Hide
        jaminh jaminh added a comment -

        You should be able to access that from the MessageContext like so, messageContext.getProperty(WSHandlerConstants.RECV_RESULTS);

        That will return a List<WSHandlerResult>. Each WSHandlerResult contains a List<WSSecurityEngineResult>. You will need to go through each WSSecurityEngineResult and find one that contains a key of WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN. The value associated with that key should get you the X509 certificate you are looking for. It is kind of a convoluted way of getting it but that should work for you.

        Show
        jaminh jaminh added a comment - You should be able to access that from the MessageContext like so, messageContext.getProperty(WSHandlerConstants.RECV_RESULTS); That will return a List<WSHandlerResult>. Each WSHandlerResult contains a List<WSSecurityEngineResult>. You will need to go through each WSSecurityEngineResult and find one that contains a key of WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN. The value associated with that key should get you the X509 certificate you are looking for. It is kind of a convoluted way of getting it but that should work for you.
        Hide
        jinie Jimmy Selgen Nielsen added a comment -

        I guess my real problem is, that when I try to fetch the WS-Security header, Apache Camel has taken over, and the messageContext is nowhere to be found. It has been replaced by an Exchange object, which is created from the messageContext.
        I guess I should raise the issue with Apache Camel instead.

        Thanks.

        Show
        jinie Jimmy Selgen Nielsen added a comment - I guess my real problem is, that when I try to fetch the WS-Security header, Apache Camel has taken over, and the messageContext is nowhere to be found. It has been replaced by an Exchange object, which is created from the messageContext. I guess I should raise the issue with Apache Camel instead. Thanks.
        gregturn Greg Turnquist made changes -
        Field Original Value New Value
        Assignee Greg Turnquist [ gregturn ]
        gregturn Greg Turnquist made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Hide
        gregturn Greg Turnquist added a comment -

        @Jimmy I can put in a flag that lets you disable this default behavior and leave the security header intact. Would that help, or is Apache Camel still an issue?

        Show
        gregturn Greg Turnquist added a comment - @Jimmy I can put in a flag that lets you disable this default behavior and leave the security header intact. Would that help, or is Apache Camel still an issue?
        Hide
        jinie Jimmy Selgen Nielsen added a comment -

        @Greg I'm currently getting around this issue by using my own Wss4JSecurityInterceptor, where I've commented out that line, The only thing I need from the header is access to the embedded X.509v3 certificate, so that I can pass it along with the message, so yes, it would solve it for me, but I'm not in a position to say if its the right way of doing it.

        Camel removes the WSHandlerResult list when it creates its CamelContext from the MassageContext, and ive raised an issue with Camel on this.

        Show
        jinie Jimmy Selgen Nielsen added a comment - @Greg I'm currently getting around this issue by using my own Wss4JSecurityInterceptor, where I've commented out that line, The only thing I need from the header is access to the embedded X.509v3 certificate, so that I can pass it along with the message, so yes, it would solve it for me, but I'm not in a position to say if its the right way of doing it. Camel removes the WSHandlerResult list when it creates its CamelContext from the MassageContext, and ive raised an issue with Camel on this.
        Hide
        gregturn Greg Turnquist added a comment -

        I've coded a patch to hold onto the security header, and asked Arjen to review my edits when possible.

        Show
        gregturn Greg Turnquist added a comment - I've coded a patch to hold onto the security header, and asked Arjen to review my edits when possible.
        gregturn Greg Turnquist made changes -
        Status In Progress [ 3 ] Resolved [ 5 ]
        Fix Version/s 2.2.1 [ 14639 ]
        Resolution Complete [ 8 ]
        Hide
        gregturn Greg Turnquist added a comment -

        Added option to configure Wss4jSecurityInterceptor to hold onto security headers.

        Show
        gregturn Greg Turnquist added a comment - Added option to configure Wss4jSecurityInterceptor to hold onto security headers.
        gregturn Greg Turnquist made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open In Progress In Progress
        32d 2h 16m 1 Greg Turnquist 12/Jan/15 8:36 AM
        In Progress In Progress Resolved Resolved
        37d 4h 52m 1 Greg Turnquist 18/Feb/15 1:29 PM
        Resolved Resolved Closed Closed
        1m 28s 1 Greg Turnquist 18/Feb/15 1:31 PM

          People

          • Assignee:
            gregturn Greg Turnquist
            Reporter:
            jinie Jimmy Selgen Nielsen
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: