Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Ceptor PortalProtect has support for WS-Security meaning it can be used to sign/encrypt outgoing SOAP messages, and it can verify signatures / decrypt incoming SOAP messages.

...

Code Block
package dk.itp.portalprotect.wss;
import java.util.Hashtable;
import java.util.Properties;

import dk.itp.portalprotect.wss.WSSAuthPluginSupport.Result;
import dk.itp.security.authentication.x509.AbstractX509CertificatePlugin;
import dk.itp.security.passticket.AuthTypes;
import dk.itp.security.passticket.PTException;
import dk.itp.security.passticket.User;
import dk.itp.security.passticket.server.AuthErrorCodes;

/**
 * SSL Cert plugin, which adds support for WSS
 * 
 * @author Kim Rasmussen
 * @version $Revision: 1.1 $
 * 
 * <pre>
 * PortalProtect - Security infrastructure
 * Copyrightoccurred 2007, Asseco Denmark A/S, All rights reserved.
 * 
 * This source code is confidential.
 * </pre>
 */
public class WSSAuthenticationPlugin extends AbstractX509CertificatePlugin {
	WSSAuthPluginSupport wssauth;  
	public Object executeCommand(User user, String name, Object input)
			throws PTException {
		return wssauth.executeCommand(user, name, input);
	}
	public void setConfiguration(Properties props) {
		super.setConfiguration(props);
		
		wssauth = new WSSAuthPluginSupport(statistics, providers);
		wssauth.setConfiguration(props);
	}
	public String getStatusText(String action) {
		return super.getStatusText() + wssauth.getStatusText(this, action);
	}
	public String getName() {
		return "WebService Security";
	}
	public int getAuthenticationType() {
		return AuthTypes.AUTHTYPE_WSS;
	}
	public int getAuthenticationLevel() {
		return 3;
	}
	public void confirm(User user, String signtext, Object credentials) throws PTException {
		verifyCertificate(user, credentials.toString(), true, true, null, signtext);
	}
	public void login(User user, String userid, Object credentials) throws PTException {
		Result result = wssauth.logonValidateSignatureAndDecrypt(credentials.toString());
		try {
			if (user.stateVariables == null)
				user.stateVariables = new Hashtable();
			
			user.stateVariables.put("soap", result.xmlOutput);
			
			if (result.subject != null) {
				user.username = result.subject.getProperty("CN");
	
				// CPR might be in userid, but this plugin wants it in customerID
				user.customerID = user.userid;
				user.userid = result.subject.getSerialNumber();
				user.password = null;
				user.isLoggedOn = true;
				
				if (result.subject.getO() != null)
					user.stateVariables.put("subject_o", result.subject.getO());
				if (result.subject.getOu() != null)
					user.stateVariables.put("subject_ou", result.subject.getOu());
				user.stateVariables.put("subject_dn", result.subject.getOrderedSubjectDN());

				if (result.cvr != null)
					user.stateVariables.put("cvr", result.cvr);
				if (result.pid != null)
					user.stateVariables.put("pid", result.pid);
				if (result.rid != null)
					user.stateVariables.put("rid", result.rid);
				if (result.uid != null)
					user.stateVariables.put("uid", result.uid);
			} else {
				throw new PTException("No certificate or SOAP not signed", AuthErrorCodes.ERROR_USERNOTFOUND,
					"No certificate");				
			}
		} catch (Throwable t) {
			cat.warn("Problem authenticating", t);
			throw new PTException("unexpected error occurred while authenticating using X509 Certificate",
				(short) - 1, t.getMessage());
		}
	}
}

...

Decryption just requires the xml and the alias of a private key loaded by portalprotect server, and it can then decrypt the xml message.


Publicclass WSSAgent {

    

     /**

      *SignandEncryptaSOAPmessage

      *@paramsessionIDSessionIDofuserdoingthesigning

      *@paramxmlXMLSOAPrequestorresponsetosignandencrypt

      *@paramsignerIDofsignermustbealiasofkeyregisteredatPPserver

      *@paramreceipientIDofreceiver,eitheraliasofpublickey/certificate,oremailaddressorserialwhichcanbelookedupinTDC’sLDAPserver.

      *@returnSignedandencryptedSOAP.

      *@throwsPTException

      */

    publicstatic String signAndEncryptSOAP(String sessionID, String xml, String signer, String receipient) throws PTException;

   

     /**

      *SignandEncryptaSOAPmessage

      *@paramsessionIDSessionIDofuserdoingthesigning

      *@paramxmlXMLSOAPrequestorresponsetosignandencrypt

      *@paramsignerIDofsignermustbealiasofkeyregisteredatPPserver

      *@paramreceipientIDofreceiver,eitheraliasofpublickey/certificate,oremailaddressorserialwhichcanbelookedupinTDC’sLDAPserver.

      *@parampartsDefinitionDefineswhichpartstosigne.g.“Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken”

      *@returnSignedandencryptedSOAP.

      *@throwsPTException

      */

    publicstatic String signAndEncryptSOAP(String sessionID, String xml, String signer, String receipient, String partsDefinition) throws PTException;

 

     /**

      *SignaSOAPmessage

      *@paramsessionIDSessionIDofuserdoingthesigning

      *@paramxmlSOAPrequestorresponsetosignandencrypt

      *@paramsignerIDofsignermustbealiasofkeyregisteredatPPserver

      *@returnSignedSOAP.

      *@throwsPTException

      */

    publicstatic String signSOAP(String sessionID, String xml, String signer) throws PTException;

 

     /**

      *SignaSOAPmessage

      *@paramsessionIDSessionIDofuserdoingthesigning

      *@paramxmlSOAPrequestorresponsetosignandencrypt

      *@paramsignerIDofsignermustbealiasofkeyregisteredatPPserver

      *@parampartsDefinitionDefineswhichpartstosigne.g.“Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken”

      *@returnSignedSOAP.

      *@throwsPTException

      */

    publicstatic String signSOAP(String sessionID, String xml, String signer,String partsDefinition) throws PTException;

   

    /**

     *Validatesanddecryptsanlusteredsignedand/orencryptedSOAPmessage

     *@paramsessionIDSessionIDofuserdoingthevalidation

     *@paramxmlSOAPtodecrypt/checksignaturefor.

     *@returnDecryptedSOAPmessage

     *@throwsPTException

     */

    publicstatic String validateSignatureAndDecryptSOAP(String sessionID, String xml) throws PTException;

   

    /**

     *LogonwithasignedXMLmessagethecertificatewhichsignedthemessagewillbeusedforloggingin.

     *@paramsessionIDSessiontologinto

     *@paramxmlSOAPtodecrypt/checksignaturefor.

     *@returnDecryptedSOAPmessage

     *@throwsPTException

     */

    publicstatic String logonWithSOAP(String sessionID, String xml) throws PTException;

 

    /**

     *SignsaparticularpieceofXML(notSOAP)usingXMLDSIG

     *@paramsessionIDSessionIDtouseforsigning

     *@paramxmlXMLtosign

     *@paramsignerIDofsignermustmatchaliasornameofcertificateconfiguredonPPserver

     *@paramreferenceIDsListofreferencestosign

     *@paramsignatureDestinationPlacetoputthesignatureintheXMLlistoftokenslusteredby/

     *@returnSignedXML

     *@throwsPTException

     */

     publicstatic String signXML(String sessionID, String xml, String signer, String[] referenceIDs, String signatureDestination) throws PTException;

   

     /**

      *ValidatesanXMLDSIGsigneddocument.

      *

      *@paramsessionIDSessionIDtouseforvalidating

      *@paramxmlSignedXML

      *@returnList of certificates which signed this XML

      *@throwsPTException

      */

     publicstatic X509Certificate[] validateXMLSignature(String sessionID, String xml) throws PTException;