Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

Note that touching request or response body can seriously hurt performance so it is highly discouraged to do so unless you have a very good reason for it.

Also beware of memory usage since buffering up the responses might have consequences for large responses so you should consider adding limits if you need to.

Below is an example plugin that can sign/encrypt requests and decrypt/validate responses:

Code Block
languagejava
package dk.itp.tunnel;

import java.io.IOException;
import java.util.Hashtable;portalprotect.wss.dispatcher;

import java.utilio.LinkedListByteArrayOutputStream;
import java.utilio.ListIOException;
import java.util.Properties;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import dkorg.itp.security.utils.UniqueId;slf4j.Logger;
import org.slf4j.LoggerFactory;

import dk.itp.statistics.Statisticsportalprotect.wss.agent.WSSAgent;
import dk.itp.tunnelsecurity.TunnelServletpassticket.NoServersAvailableExceptionPTException;
import dk.itp.tunnelsecurity.TunnelServletutils.ServerEntryHtmlEncoder;

/**
 * 
 * This interface must be implemented by tunnel/dispatcher plugins.<br>
 * A plugin can modify requests/responses before/after they are sent to the web server.<br><br>
 * 
 * Users of this interface should extend the AbstractTunnelPlugin class and extend the
 * required methods instead of implementing this interface directly. This will allow
 * for easier transitions to new versions
 *  
 * @author Kim Rasmussen
 * @version $Revision$
 *
 * <pre>
 * PortalProtect - Security infrastructure
 * Copyright(c) 2001, IT Practice A/S, All rights reserved.
 * 
 * This source code is confidential.
 * </pre>
 */
@SuppressWarnings({"rawtypes"})
public interface ITunnelPlugin {
	public static class ResponseHeaderInformation {
		public int statusCode;
		public String reasonText;
		public List<String> names = new LinkedList<String>();
		public List<String> values = new LinkedList<String>();
	}
	
	/**
	 * Request state information meant for sharing between plugins.
	 * Can be used by a plugin to abort any additonal calls to other plugins, or to share state between plugins for the specific request.<br>
	 * State can also be saved here between calls in the flow and re used by the same plugin when it is called later for the same request.
	 */
	public static class PluginRequestStateInformation {
		/** If set to true, PP will stop calling plugins, including the plugin which originally set this boolean, so use with care.
		 * Note that this flag is not respected by the tunnel when processing response content which will proceed as normal. */
		public boolean doNotCallOtherPlugins = false;
		/** If set, only the plugin of this class (the plugin should use getClass()) will be called. doNotCallOtherPlugins
		 * has priority, but if that is false and onlyCallThisPlugin is not-null, only this particular plugin will be
		 * called for the rest of the request. */ 
		public Class onlyCallThisPlugin = null;
		/** If set to true, it is a hint to other plugins that a plugin has deemed the request to be failed, so they should not .e.g. log users in */
		public boolean requestConsideredFailing = false;
		/** State for this particular request shared between plugins */
		public Properties state = new Properties();
	}
	
	/**
	 * Overrides the server selection, allows the plugin to change the server to something else.<br>
	 * To select the proper server, the plugin should call tunnel.selectBestServer() to let it choose which server to used, it will
	 * make sure to select a server that is up, and reuse the same server is there is already a selected one present. Note that it
	 * will return a cookie value which needs to be set on the response by the plugin if non-empty.
	 * 
	 * @param request Request as received from the servlet
	 * @param response Empty response
	 * @param content The content read in case of a POST request (else <code>null</code>)
	 * @param sessionId Session ID for this user
	 * @param serverEntry Entry of the server chosen for this request
	 * @param tunnel The tunnel servlet, can be used by plugins to call e.g. isFromSSLAccelerator()
	 * @param alternateServers Hashtable<String, TunnelServlet.AlternateServer> All configured alternate servers
	 * @param defaultServers Hashtable<String, ServerEntry> All configured default (non-alternate) servers
	 */
	public ServerEntry overrideServerSelection(HttpServletRequest request, HttpServletResponse response, byte[] content, UniqueId sessionId, TunnelServlet.ServerEntry serverEntry, TunnelServlet tunnel, Hashtable alternateServers, Hashtable defaultServers) throws IOException, NoServersAvailableException;
	
	/**
	 * Allows the plugin to modify the request before it is sent to the web server
	 * 
	 * @param request Request as received from the servlet
	 * @param response Empty response
	 * @param content The content read in case of a POST request (else <code>null</code>)
	 * @param sessionId Session ID for this user
	 * @param requestToWebServer The request that this method can modify, it does not contain any request contents, but only the headers.
	 * @param serverEntry Entry of the server chosen for this request
	 * @param tunnel The tunnel servlet, can be used by plugins to call e.g. isFromSSLAccelerator()
	 * @return true, if the request should not be passed on to the webserver, if the plugin has handled it. False if the request should be sent to the server.
	 */
	public boolean modifyRequest(HttpServletRequest request, HttpServletResponse response, byte[] content, UniqueId sessionId, StringBuffer requestToWebServer, TunnelServlet.ServerEntry serverEntry, TunnelServlet tunnel) throws IOException;
	
	/**
	 * Allows the plugin to modify the POST data in the request before it is sent to the web server.
	 * This method is called before modifyRequest, and only if the request is a POST/PUT request that has any data.
	 * It is called before modifyRequest to make sure the correct content-length is available which needs to be calculated before calling modifyRequest.  
	 * 
	 * @param request Request as received from the servlet
	 * @param response Empty response
	 * @param content The content read in case of a POST request (else <code>null</code>)
	 * @param sessionId Session ID for this user
	 * @param serverEntry Entry of the server chosen for this request
	 * @param tunnel The tunnel servlet, can be used by plugins to call e.g. isFromSSLAccelerator()
	 * @return The new request (POST data) to send to the server.
	 */
	public byte[] modifyRequestContent(HttpServletRequest request, HttpServletResponse response, byte[] content, UniqueId sessionId, TunnelServlet.ServerEntry serverEntry, TunnelServlet tunnel) throws IOException;
	
	/**
	 * Allows the plugin to modify the response headers - this method is called just after the initial headers are received, before they are parsed and before
	 * the response content is read.
	 * 
	 * @param request Request
	 * @param response Response to modify
	 * @param content The content read in case of a POST request (else <code>null</code>)
	 * @param sessionId Session ID for this user
	 * @param serverEntry Entry of the server chosen for this request
	 * @param headerInfo List of non-yet-parsed response status code and HTTP headers - the plugin can choose to modify them.
	 * @param tunnel The tunnel servlet, can be used by plugins to call e.g. isFromSSLAccelerator()
	 */
	public void modifyResponseHeaders(HttpServletRequest request, HttpServletResponse response, byte[] content, UniqueId sessionId, TunnelServlet.ServerEntry serverEntry, ResponseHeaderInformation headerInfo, TunnelServlet tunnel) throws IOException;

	/**
	 * Allows the plugin to modify the response - this request is called after the initial headers are received, but before the actual response content
	 * is read from the webserver
	 * 
	 * @param request Request
	 * @param response Response to modify
	 * @param content The content read in case of a POST request (else <code>null</code>)
	 * @param sessionId Session ID for this user
	 * @param serverEntry Entry of the server chosen for this request
	 * @param tunnel The tunnel servlet, can be used by plugins to call e.g. isFromSSLAccelerator()
	 * @return true, if the response should be returned immediately, false if the response contents should be read from the webserver and sent back to the browser.
	 */
	public boolean modifyResponse(HttpServletRequest request, HttpServletResponse response, byte[] content, UniqueId sessionId, TunnelServlet.ServerEntry serverEntry, TunnelServlet tunnel) throws IOException;

	/**
	 * Gives the plugin a chance to access the Dispatcher/Tunnel configuration. Called
	 * each time the configuration for the Dispatcher/Tunnel changes
	 * 
	 * @param props Configuration
	 */
	public void setConfiguration(Properties props);
	
	/**
	 * This method is called when the Dispatcher/Tunnel is reconfigured and possible
	 * changed the instance of the statistics object. This object can be used to meassure 
	 * statistics if needed
	 * 
	 * @param stats Statistics object for meassuring
	 */
	public void setStatistics( Statistics stats );
	
	/**
	 * This method can be used by the plugin to provide a status text that will be
	 * accessible along with the Dispatcher/Tunnel status through the PortalProtect
	 * administration.
     * 
     * Optionally, a plugin can implement <code>public String getStatusText(String action);</code> which allows it to
     * perform an action such as displaying specific status, clearing cache data, refreshing data or whatever else the
     * plugin may want to do. That method is not in the interface since it is not required.
	 *  
	 * @return Status text if any (or null)
	 */
	public String getStatusText();
	
	/**
	 * Asks the plugin if it is interested in the contents of the response.
	 * If so, the dispatcher will not stream the response data to the browser, but instead to the plugin, and it is then
	 * the plugin's own problem to stream the (modified) response back to the browser.
	 * <p>
	 * Note that when streaming is enabled, the dispatcher will no longer be able to compress the response, and it
	 * will remove any content length header otherwise put on the response by the application server.
	 * <p><b>
	 * Note that only a single plugin is able to modify the response contents at a time - the first plugin in the
	 * chain that returns true wins, and the rest of the plugins are not asked.</b>
	 * 
	 * @param request Request
	 * @param response Response
	 * @param content Content of the POST request, or null
	 * @param sessionId Session ID for this user
	 * @param serverEntry Entry of the server chosen for this request
	 * @param tunnel The tunnel servlet, can be used by plugins to call e.g. isFromSSLAccelerator()
	 * @return true if plugin wants the response contents
	 * @throws IOException
	 */
	public boolean isInterestedInResponseContents(HttpServletRequest request, HttpServletResponse response, byte[] content, UniqueId sessionId, TunnelServlet.ServerEntry serverEntry, TunnelServlet tunnel) throws IOException;
	
	/**
	 * This tells the plugin that a block of bytes has been received. This method is called as long as there is data read from the response.<br>
	 * Note that if your plugin buffers data up, take care about setting max safety sizes or you risk multi-megabyte responses eating all the memory.
	 * 
	 * @param request Request
	 * @param response Response
	 * @param content Content of the POST request, or null
	 * @param sessionId Session ID for this user
	 * @param serverEntry Entry of the server chosen for this request
	 * @param tunnel The tunnel servlet, can be used by plugins to call e.g. isFromSSLAccelerator()
	 * @param responseBuffer Buffer containing contents of the response. Note that the byte array might not be filled - use the responseBufferSize.
	 * @param responseBufferSize Number of bytes in the buffer
	 * @throws IOException
	 */
	public void responseContentRead(HttpServletRequest request, HttpServletResponse response, byte[] content, UniqueId sessionId, TunnelServlet.ServerEntry serverEntry, TunnelServlet tunnel, byte[] responseBuffer, int responseBufferSize) throws IOException;

	/**
	 * This tells the plugin that the reading of the response has finished, so this is its last chance to write anything else to the response.
	 * If the plugin has been collecting the response data up for processing, it can do it now, and write the finished result to the http servlet response.
	 * 
	 * @param request Request
	 * @param response Response
	 * @param content Content of the POST request, or null
	 * @param sessionId Session ID for this user
	 * @param serverEntry Entry of the server chosen for this request
	 * @param tunnel The tunnel servlet, can be used by plugins to call e.g. isFromSSLAccelerator()
	 * @throws IOException
	 */
	public void responseContentFinished(HttpServletRequest request, HttpServletResponse response, byte[] content, UniqueId sessionId, TunnelServlet.ServerEntry serverEntry, TunnelServlet tunnel) throws IOException;
	import dk.itp.security.utils.Listed;
import dk.itp.security.utils.StringMatcher;
import dk.itp.security.utils.UniqueId;
import dk.itp.statistics.Statistics;
import dk.itp.tunnel.AbstractTunnelPlugin;
import dk.itp.tunnel.TunnelServlet;
import dk.itp.tunnel.TunnelServlet.ServerEntry;

/**
 * Plugin to the dispatcher/tunnel which handes WS-Security, i.e. it modifies the request/response contents to add
 * or remove WS-Security encryption.
 */
public class WSSPlugin extends AbstractTunnelPlugin {
	private Logger cat = LoggerFactory.getLogger(getClass());
	protected String[] urlPatterns;
	protected String[] wsdlUrlPatterns;
	protected String signer;
	protected Statistics statistics;
	
	protected class RequestInfo {
		ByteArrayOutputStream bout = new ByteArrayOutputStream();
		PTException loginError;
	}
	private static ThreadLocal<RequestInfo> requestInfoTL = new ThreadLocal<RequestInfo>();
	
	private boolean isRequestForUs(HttpServletRequest request) {
		if (request.getHeader("SOAPAction") == null) {
			return false;
		}
			
		// Copy it so if setConfiguration is called we do not risk the array size being changed.
		String[] urlPatterns = this.urlPatterns;
		
		String uri = request.getRequestURI();
		for(int i = 0; i < urlPatterns.length; i++) {
			if (StringMatcher.match(urlPatterns[i], uri)) {
				return true;
			}
		}
		return false;
	}
	
	private boolean isWSDL(HttpServletRequest request) {
		// Copy it so if setConfiguration is called we do not risk the array size being changed.
		String[] urlPatterns = this.wsdlUrlPatterns;
		
		String uri = request.getRequestURI();
		String qstr = request.getQueryString();
		if (qstr != null && qstr.length() > 0)
			uri += "?"+qstr;
		
		for(int i = 0; i < urlPatterns.length; i++) {
			if (StringMatcher.match(urlPatterns[i], uri)) {
				return true;
			}
		}
		return false;		
	}
	
	public byte[] modifyRequestContent(HttpServletRequest request, HttpServletResponse response, byte[] content, UniqueId sessionId, ServerEntry serverEntry,
			TunnelServlet tunnel) throws IOException {
		requestInfoTL.set(null);
		
		if (!isRequestForUs(request))
			return content;
		
		// This request seems to be useful for us, so lets process it.
		String xml = new String(content, "UTF8");
		try {
			if (cat.isDebugEnabled()) {
				cat.debug("XML Input: " + xml);
			}
			xml = WSSAgent.logonWithSOAP(tunnel.getAgent(), sessionId.toString(), xml);
			if (xml != null) {
				if (cat.isDebugEnabled()) {
					cat.debug("XML input modified to: " + xml);
				}
				return xml.getBytes("UTF8");
			}
		} catch (PTException e) {
			cat.warn("Unable to login with SOAP request contents", e);
		}
		return content;		
	}

	public boolean modifyRequest(HttpServletRequest request, HttpServletResponse response, byte[] content, UniqueId sessionId, StringBuffer requestToWebServer,
			ServerEntry serverEntry, TunnelServlet tunnel) throws IOException {
		RequestInfo info = requestInfoTL.get();
		
		if (info != null && info.loginError != null) {
			String fault = generateSoapFault(info.loginError);
			response.getOutputStream().print(fault);
			return true;
		}
		return false;
	}
	
	public boolean isInterestedInResponseContents(HttpServletRequest request, HttpServletResponse response, byte[] content, UniqueId sessionId,
			ServerEntry serverEntry, TunnelServlet tunnel) throws IOException {
		if (!isWSDL(request) && !isRequestForUs(request))
			return false;
		
		RequestInfo info = requestInfoTL.get();
		if (info == null)
			requestInfoTL.set(new RequestInfo());
		return true;
	}

	public void responseContentRead(HttpServletRequest request, HttpServletResponse response, byte[] content, UniqueId sessionId, ServerEntry serverEntry,
			TunnelServlet tunnel, byte[] responseBuffer, int responseBufferSize) throws IOException {
		
		RequestInfo info = requestInfoTL.get();
		info.bout.write(responseBuffer, 0, responseBufferSize);
	}

	public void responseContentFinished(HttpServletRequest request, HttpServletResponse response, byte[] content, UniqueId sessionId, ServerEntry serverEntry,
			TunnelServlet tunnel) throws IOException {
		RequestInfo info = requestInfoTL.get();
		
		String xml = new String(info.bout.toByteArray(), "UTF8");
		if (cat.isDebugEnabled()) {
			cat.debug("Response: " + xml);
		}
		
		String sessionID = sessionId.toString();
		
		if (isWSDL(request)) {
			// TODO: Cache the result for another time
			try {
				xml = WSSAgent.attachPoliciesToWSDL(tunnel.getAgent(), sessionID, xml, request.getRequestURL().toString());
				response.getOutputStream().write(xml.getBytes("UTF8"));
			} catch(PTException e) {
				cat.warn("Problem attaching policy to WSDL", e);
				
				// Write proper soapfault here
				@SuppressWarnings("unused")
				String fault = generateSoapFault(e);
				response.getOutputStream().print(fault);
			}
		} else {
			try {
				String encryptionKey = tunnel.getAgent().getStateVariable(sessionID, "encryptedWithKey");
				if (encryptionKey != null)
					xml = WSSAgent.signAndEncryptSOAP(tunnel.getAgent(), sessionId.toString(), xml, signer, encryptionKey);
				else
					xml = WSSAgent.signSOAP(tunnel.getAgent(), sessionID, xml, signer);
				if (cat.isDebugEnabled()) {
					cat.debug("XML Output modified to: " + xml);
				}
				response.getOutputStream().write(xml.getBytes("UTF8"));
			} catch(PTException e) {
				cat.warn("Problem signing response XML", e);
				
				// Write proper soapfault here
				String fault = generateSoapFault(e);
				response.getOutputStream().print(fault);
			}
		}
		requestInfoTL.set(null);
	}

	public void setStatistics(Statistics stats) {
		super.setStatistics(stats);
		
		this.statistics = stats;
	}

	public void setConfiguration(Properties props) {
		super.setConfiguration(props);
		
		urlPatterns = new Listed<String>(props.getProperty("wss.urls", "")).toArray();
		wsdlUrlPatterns = new Listed<String>(props.getProperty("wss.wsdlurls", "")).toArray();
		signer = props.getProperty("wss.signer", "unknown");
	}
	
	protected String generateSoapFault(PTException e) {
		String fault = "<env:Envelope xmlns:env=\"http://www.w3.org/2003/05/soap-envelope\">\n"+
		"<env:Header/><env:Body>\n<env:Fault>\n<env:Code><env:Value>env:Sender</env:Value></env:Code>\n"+
		"<env:Reason><env:Text>\n"+
		e.toString()+
		"</env:Text></env:Reason>\n</env:Fault></env:Body></env:Envelope>";
		
		return fault;
	}
}