Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-890

Can the WSSecurityEngine used in Wss4jSecurityInterceptor be externalized to introduce custom behaviour?


    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 2.3.0
    • Component/s: None
    • Labels:


      Hello Guys,
      I'm currently investigating to use spring-ws along with spring-ws-security-2.13.RELEASE for my security use case.

      I'm using Wss4jSecurityInterceptor based approach.

      These are what I'm after:

      • I want to perform Encryption/Decryption using PKI for confidentiality.
      • I want to perform Signature verification.
      • I want to perform authentication using the UsernameToken scheme.

      These are the caveats:

      • My user store is LDAP (where the password is already hashed and stored). I don't have access to the "clear text" password on the server side to be passed in the call back (AbstractWsPasswordCallbackHandler).

      Here is one approach:

      • I would encrypt the UsernameToken (using the same PKI) and decrypt on the server side - This enables me to send the password as a "clear text" at the same time achieving message confidentiality.
      • However, this doesn't solve the problem of authenticating the user with LDAP because I don't have the "clear text" password in the server side.

      I was looking into Wss4jSecurityInterceptor.java and it appears to be that the securityEngine is defined as private final.I completely understand the reasons of being this the way it is as the clients shouldn't be able to alter the sensitive functionality and break the framework.

      However, in my case, if this securityEngine was externalizable (injectable), I can provide my implementation of the engine which can then suppress the UsernameToken (password validation).

      This helps me to then to get the Username and Password in my interceptor in the overridden checkResults method which can be used for LDAP Authentication. I will have the full access to the username and password here.

      Here is my custom WSSecurityEngine:

          public List<WSSecurityEngineResult> processSecurityHeader(Element arg0, RequestData arg1) throws WSSecurityException {
              WSSConfig config = arg1.getWssConfig();
              config.setValidator(WSSecurityEngine.USERNAME_TOKEN, SuppressedUsernameTokenValidator.class);
              return super.processSecurityHeader(arg0, arg1);

      Back in my SecurityInterceptor (that extends Wss4jSecurityInterceptor):

          protected void checkResults(List<WSSecurityEngineResult> results, List<Integer> validationActions) {
              for (WSSecurityEngineResult res : results) {
      			if (res.get("username-token") != null) {
                      UsernameToken usernameToken = (UsernameToken) res.get("username-token");
                      String username = usernameToken.getName();
                      String password = usernameToken.getPassword();
      				// Perform LDAP Authentication using the username and password.

      Can the WSSecurityEngine be made injectable in Wss4jSecurityInterceptor or is there any other standard way to implement what I'm after? Thanks for your time.




            • Assignee:
              gregturn Greg Turnquist
              saikris saiprasad krishnamurthy
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: