Ceptor PortalProtect has support for WS-Security meaning it can be used to sign/encrypt outgoing SOAP messages, and it can verify signatures / decrypt incoming SOAP messages.
...
Code Block |
---|
package dk.itp.portalprotect.wss;
import java.util.Hashtable;
import java.util.Properties;
import dk.itp.portalprotect.wss.WSSAuthPluginSupport.Result;
import dk.itp.security.authentication.x509.AbstractX509CertificatePlugin;
import dk.itp.security.passticket.AuthTypes;
import dk.itp.security.passticket.PTException;
import dk.itp.security.passticket.User;
import dk.itp.security.passticket.server.AuthErrorCodes;
/**
* SSL Cert plugin, which adds support for WSS
*
* @author Kim Rasmussen
* @version $Revision: 1.1 $
*
* <pre>
* PortalProtect - Security infrastructure
* Copyrightoccurred 2007, Asseco Denmark A/S, All rights reserved.
*
* This source code is confidential.
* </pre>
*/
public class WSSAuthenticationPlugin extends AbstractX509CertificatePlugin {
WSSAuthPluginSupport wssauth;
public Object executeCommand(User user, String name, Object input)
throws PTException {
return wssauth.executeCommand(user, name, input);
}
public void setConfiguration(Properties props) {
super.setConfiguration(props);
wssauth = new WSSAuthPluginSupport(statistics, providers);
wssauth.setConfiguration(props);
}
public String getStatusText(String action) {
return super.getStatusText() + wssauth.getStatusText(this, action);
}
public String getName() {
return "WebService Security";
}
public int getAuthenticationType() {
return AuthTypes.AUTHTYPE_WSS;
}
public int getAuthenticationLevel() {
return 3;
}
public void confirm(User user, String signtext, Object credentials) throws PTException {
verifyCertificate(user, credentials.toString(), true, true, null, signtext);
}
public void login(User user, String userid, Object credentials) throws PTException {
Result result = wssauth.logonValidateSignatureAndDecrypt(credentials.toString());
try {
if (user.stateVariables == null)
user.stateVariables = new Hashtable();
user.stateVariables.put("soap", result.xmlOutput);
if (result.subject != null) {
user.username = result.subject.getProperty("CN");
// CPR might be in userid, but this plugin wants it in customerID
user.customerID = user.userid;
user.userid = result.subject.getSerialNumber();
user.password = null;
user.isLoggedOn = true;
if (result.subject.getO() != null)
user.stateVariables.put("subject_o", result.subject.getO());
if (result.subject.getOu() != null)
user.stateVariables.put("subject_ou", result.subject.getOu());
user.stateVariables.put("subject_dn", result.subject.getOrderedSubjectDN());
if (result.cvr != null)
user.stateVariables.put("cvr", result.cvr);
if (result.pid != null)
user.stateVariables.put("pid", result.pid);
if (result.rid != null)
user.stateVariables.put("rid", result.rid);
if (result.uid != null)
user.stateVariables.put("uid", result.uid);
} else {
throw new PTException("No certificate or SOAP not signed", AuthErrorCodes.ERROR_USERNOTFOUND,
"No certificate");
}
} catch (Throwable t) {
cat.warn("Problem authenticating", t);
throw new PTException("unexpected error occurred while authenticating using X509 Certificate",
(short) - 1, t.getMessage());
}
}
}
|
...
Decryption just requires the xml and the alias of a private key loaded by portalprotect server, and it can then decrypt the xml message.
Publicclass WSSAgent {
/**
*SignandEncryptaSOAPmessage
*@paramsessionIDSessionIDofuserdoingthesigning
*@paramxmlXML–SOAPrequestorresponsetosignandencrypt
*@paramsignerIDofsigner–mustbealiasofkeyregisteredatPPserver
*@paramreceipientIDofreceiver,eitheraliasofpublickey/certificate,oremailaddressorserialwhichcanbelookedupinTDC’sLDAPserver.
*@returnSignedandencryptedSOAP.
*@throwsPTException
*/
publicstatic String signAndEncryptSOAP(String sessionID, String xml, String signer, String receipient) throws PTException;
/**
*SignandEncryptaSOAPmessage
*@paramsessionIDSessionIDofuserdoingthesigning
*@paramxmlXML–SOAPrequestorresponsetosignandencrypt
*@paramsignerIDofsigner–mustbealiasofkeyregisteredatPPserver
*@paramreceipientIDofreceiver,eitheraliasofpublickey/certificate,oremailaddressorserialwhichcanbelookedupinTDC’sLDAPserver.
*@parampartsDefinitionDefineswhichpartstosign–e.g.“Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken”
*@returnSignedandencryptedSOAP.
*@throwsPTException
*/
publicstatic String signAndEncryptSOAP(String sessionID, String xml, String signer, String receipient, String partsDefinition) throws PTException;
/**
*SignaSOAPmessage
*@paramsessionIDSessionIDofuserdoingthesigning
*@paramxmlSOAPrequestorresponsetosignandencrypt
*@paramsignerIDofsigner–mustbealiasofkeyregisteredatPPserver
*@returnSignedSOAP.
*@throwsPTException
*/
publicstatic String signSOAP(String sessionID, String xml, String signer) throws PTException;
/**
*SignaSOAPmessage
*@paramsessionIDSessionIDofuserdoingthesigning
*@paramxmlSOAPrequestorresponsetosignandencrypt
*@paramsignerIDofsigner–mustbealiasofkeyregisteredatPPserver
*@parampartsDefinitionDefineswhichpartstosign–e.g.“Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken”
*@returnSignedSOAP.
*@throwsPTException
*/
publicstatic String signSOAP(String sessionID, String xml, String signer,String partsDefinition) throws PTException;
/**
*Validatesanddecryptsanlusteredsignedand/orencryptedSOAPmessage
*@paramsessionIDSessionIDofuserdoingthevalidation
*@paramxmlSOAPtodecrypt/checksignaturefor.
*@returnDecryptedSOAPmessage
*@throwsPTException
*/
publicstatic String validateSignatureAndDecryptSOAP(String sessionID, String xml) throws PTException;
/**
*LogonwithasignedXMLmessage–thecertificatewhichsignedthemessagewillbeusedforloggingin.
*@paramsessionIDSessiontologinto
*@paramxmlSOAPtodecrypt/checksignaturefor.
*@returnDecryptedSOAPmessage
*@throwsPTException
*/
publicstatic String logonWithSOAP(String sessionID, String xml) throws PTException;
/**
*SignsaparticularpieceofXML(notSOAP)usingXMLDSIG
*@paramsessionIDSessionIDtouseforsigning
*@paramxmlXMLtosign
*@paramsignerIDofsigner–mustmatchaliasornameofcertificateconfiguredonPPserver
*@paramreferenceIDsListofreferencestosign
*@paramsignatureDestinationPlacetoputthesignatureintheXML–listoftokenslusteredby/
*@returnSignedXML
*@throwsPTException
*/
publicstatic String signXML(String sessionID, String xml, String signer, String[] referenceIDs, String signatureDestination) throws PTException;
/**
*ValidatesanXMLDSIGsigneddocument.
*
*@paramsessionIDSessionIDtouseforvalidating
*@paramxmlSignedXML
*@returnList of certificates which signed this XML
*@throwsPTException
*/
publicstatic X509Certificate[] validateXMLSignature(String sessionID, String xml) throws PTException;