spring-projects
diff --git a/‎security/pom.xml‎
Lines changed: 15 additions & 2 deletions b/‎security/pom.xml‎
Lines changed: 15 additions & 2 deletions
diff --git a/‎security/src/main/java/org/springframework/ws/soap/security/wss4j/callback/springsecurity/SpringSecurityDigestPasswordValidationCallbackHandler.java‎
Lines changed: 110 additions & 0 deletions b/‎security/src/main/java/org/springframework/ws/soap/security/wss4j/callback/springsecurity/SpringSecurityDigestPasswordValidationCallbackHandler.java‎
Lines changed: 110 additions & 0 deletions
diff --git a/‎security/src/main/java/org/springframework/ws/soap/security/wss4j/callback/springsecurity/SpringSecurityPlainTextPasswordValidationCallbackHandler.java‎
Lines changed: 91 additions & 0 deletions b/‎security/src/main/java/org/springframework/ws/soap/security/wss4j/callback/springsecurity/SpringSecurityPlainTextPasswordValidationCallbackHandler.java‎
Lines changed: 91 additions & 0 deletions
diff --git a/‎security/src/main/java/org/springframework/ws/soap/security/xwss/callback/springsecurity/SpringSecurityCertificateValidationCallbackHandler.java‎
Lines changed: 116 additions & 0 deletions b/‎security/src/main/java/org/springframework/ws/soap/security/xwss/callback/springsecurity/SpringSecurityCertificateValidationCallbackHandler.java‎
Lines changed: 116 additions & 0 deletions
@@ -1,4 +1,5 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <parent>
         <artifactId>spring-ws-parent</artifactId>
         <groupId>org.springframework.ws</groupId>
@@ -21,6 +22,12 @@
             <name>Spring External Dependencies Repository</name>
             <url>https://springframework.svn.sourceforge.net/svnroot/springframework/repos/repo-ext/</url>
         </repository>
+        <!-- S3 repo required for Spring Security Milestones -->
+        <repository>
+            <id>spring-s3</id>
+            <name>Springframework Maven SNAPSHOT Repository</name>
+            <url>http://s3.amazonaws.com/maven.springframework.org/milestone</url>
+        </repository>
         <repository>
             <id>wso2</id>
             <name>WSO2 Repository</name>
@@ -136,6 +143,12 @@
             <groupId>org.acegisecurity</groupId>
             <artifactId>acegi-security</artifactId>
         </dependency>
+        <!-- Spring Security dependencies -->
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-core</artifactId>
+            <optional>true</optional>
+        </dependency>
         <!-- JEE dependencies -->
         <dependency>
             <groupId>javax.mail</groupId>
@@ -149,4 +162,4 @@
             <scope>test</scope>
         </dependency>
     </dependencies>
-</project>
+</project>
@@ -0,0 +1,110 @@
+/*
+ * Copyright 2008 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.ws.soap.security.wss4j.callback.springsecurity;
+
+import java.io.IOException;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSUsernameTokenPrincipal;
+
+import org.springframework.dao.DataAccessException;
+import org.springframework.security.context.SecurityContextHolder;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.providers.dao.UserCache;
+import org.springframework.security.providers.dao.cache.NullUserCache;
+import org.springframework.security.userdetails.UserDetails;
+import org.springframework.security.userdetails.UserDetailsService;
+import org.springframework.security.userdetails.UsernameNotFoundException;
+import org.springframework.util.Assert;
+import org.springframework.ws.soap.security.callback.CleanupCallback;
+import org.springframework.ws.soap.security.wss4j.callback.AbstractWsPasswordCallbackHandler;
+import org.springframework.ws.soap.security.wss4j.callback.UsernameTokenPrincipalCallback;
+
+/**
+ * Callback handler that validates a password digest using an Spring Security <code>UserDetailsService</code>. Logic
+ * based on Spring Security's <code>DigestProcessingFilter</code>.
+ * <p/>
+ * An Spring Security <code>UserDetailService</code> is used to load <code>UserDetails</code> from. The digest of the
+ * password contained in this details object is then compared with the digest in the message.
+ *
+ * @author Arjen Poutsma
+ * @see org.springframework.security.userdetails.UserDetailsService
+ * @see org.springframework.security.ui.digestauth.DigestProcessingFilter
+ * @since 1.5.0
+ */
+public class SpringSecurityDigestPasswordValidationCallbackHandler extends AbstractWsPasswordCallbackHandler {
+
+    private UserCache userCache = new NullUserCache();
+
+    private UserDetailsService userDetailsService;
+
+    /** Sets the users cache. Not required, but can benefit performance. */
+    public void setUserCache(UserCache userCache) {
+        this.userCache = userCache;
+    }
+
+    /** Sets the Spring Security user details service. Required. */
+    public void setUserDetailsService(UserDetailsService userDetailsService) {
+        this.userDetailsService = userDetailsService;
+    }
+
+    public void afterPropertiesSet() throws Exception {
+        Assert.notNull(userDetailsService, "userDetailsService is required");
+    }
+
+    protected void handleUsernameToken(WSPasswordCallback callback) throws IOException, UnsupportedCallbackException {
+        String identifier = callback.getIdentifer();
+        UserDetails user = loadUserDetails(identifier);
+        if (user != null) {
+            callback.setPassword(user.getPassword());
+        }
+    }
+
+    protected void handleUsernameTokenPrincipal(UsernameTokenPrincipalCallback callback)
+            throws IOException, UnsupportedCallbackException {
+        WSUsernameTokenPrincipal principal = callback.getPrincipal();
+        UsernamePasswordAuthenticationToken authRequest =
+                new UsernamePasswordAuthenticationToken(principal, principal.getPassword());
+        if (logger.isDebugEnabled()) {
+            logger.debug("Authentication success: " + authRequest.toString());
+        }
+        SecurityContextHolder.getContext().setAuthentication(authRequest);
+    }
+
+    protected void handleCleanup(CleanupCallback callback) throws IOException, UnsupportedCallbackException {
+        SecurityContextHolder.clearContext();
+    }
+
+    private UserDetails loadUserDetails(String username) throws DataAccessException {
+        UserDetails user = userCache.getUserFromCache(username);
+
+        if (user == null) {
+            try {
+                user = userDetailsService.loadUserByUsername(username);
+            }
+            catch (UsernameNotFoundException notFound) {
+                if (logger.isDebugEnabled()) {
+                    logger.debug("Username '" + username + "' not found");
+                }
+                return null;
+            }
+            userCache.putUserInCache(user);
+        }
+        return user;
+    }
+}
@@ -0,0 +1,91 @@
+/*
+ * Copyright 2008 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.ws.soap.security.wss4j.callback.springsecurity;
+
+import java.io.IOException;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSecurityException;
+
+import org.springframework.security.Authentication;
+import org.springframework.security.AuthenticationException;
+import org.springframework.security.AuthenticationManager;
+import org.springframework.security.context.SecurityContextHolder;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.util.Assert;
+import org.springframework.ws.soap.security.callback.CleanupCallback;
+import org.springframework.ws.soap.security.wss4j.callback.AbstractWsPasswordCallbackHandler;
+
+/**
+ * Callback handler that validates a certificate uses an Spring Security <code>AuthenticationManager</code>. Logic based
+ * on Spring Security's <code>BasicProcessingFilter</code>.
+ * <p/>
+ * This handler requires an Spring Security <code>AuthenticationManager</code> to operate. It can be set using the
+ * <code>authenticationManager</code> property. An Spring Security <code>UsernamePasswordAuthenticationToken</code> is
+ * created with the username as principal and password as credentials.
+ *
+ * @author Arjen Poutsma
+ * @see org.springframework.security.providers.UsernamePasswordAuthenticationToken
+ * @see org.springframework.security.ui.basicauth.BasicProcessingFilter
+ * @since 1.5.0
+ */
+public class SpringSecurityPlainTextPasswordValidationCallbackHandler extends AbstractWsPasswordCallbackHandler {
+
+    private AuthenticationManager authenticationManager;
+
+    private boolean ignoreFailure = false;
+
+    /** Sets the Spring Security authentication manager. Required. */
+    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
+        this.authenticationManager = authenticationManager;
+    }
+
+    public void setIgnoreFailure(boolean ignoreFailure) {
+        this.ignoreFailure = ignoreFailure;
+    }
+
+    public void afterPropertiesSet() throws Exception {
+        Assert.notNull(authenticationManager, "authenticationManager is required");
+    }
+
+    protected void handleCleanup(CleanupCallback callback) throws IOException, UnsupportedCallbackException {
+        SecurityContextHolder.clearContext();
+    }
+
+    protected void handleUsernameTokenUnknown(WSPasswordCallback callback)
+            throws IOException, UnsupportedCallbackException {
+        String identifier = callback.getIdentifer();
+        try {
+            Authentication authResult = authenticationManager
+                    .authenticate(new UsernamePasswordAuthenticationToken(identifier, callback.getPassword()));
+            if (logger.isDebugEnabled()) {
+                logger.debug("Authentication success: " + authResult.toString());
+            }
+            SecurityContextHolder.getContext().setAuthentication(authResult);
+        }
+        catch (AuthenticationException failed) {
+            if (logger.isDebugEnabled()) {
+                logger.debug("Authentication request for user '" + identifier + "' failed: " + failed.toString());
+            }
+            SecurityContextHolder.clearContext();
+            if (!ignoreFailure) {
+                throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
+            }
+        }
+    }
+}
@@ -0,0 +1,116 @@
+/*
+ * Copyright 2008 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.ws.soap.security.xwss.callback.springsecurity;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import com.sun.xml.wss.impl.callback.CertificateValidationCallback;
+
+import org.springframework.security.Authentication;
+import org.springframework.security.AuthenticationException;
+import org.springframework.security.AuthenticationManager;
+import org.springframework.security.context.SecurityContextHolder;
+import org.springframework.security.providers.x509.X509AuthenticationToken;
+import org.springframework.util.Assert;
+import org.springframework.ws.soap.security.callback.AbstractCallbackHandler;
+import org.springframework.ws.soap.security.callback.CleanupCallback;
+
+/**
+ * Callback handler that validates a certificate using an Spring Security <code>AuthenticationManager</code>. Logic
+ * based on Spring Security's <code>X509ProcessingFilter</code>. <p/> Spring Security
+ * <code>X509AuthenticationToken</code> is created with the certificate as the credentials. <p/> The configured
+ * authentication manager is expected to supply a provider which can handle this token (usually an instance of
+ * <code>X509AuthenticationProvider</code>).</p>
+ * <p/>
+ * This class only handles <code>CertificateValidationCallback</code>s, and throws an
+ * <code>UnsupportedCallbackException</code> for others.
+ *
+ * @author Arjen Poutsma
+ * @see org.springframework.security.providers.x509.X509AuthenticationToken
+ * @see org.springframework.security.providers.x509.X509AuthenticationProvider
+ * @see org.springframework.security.ui.x509.X509ProcessingFilter
+ * @see com.sun.xml.wss.impl.callback.CertificateValidationCallback
+ * @since 1.5.0
+ */
+public class SpringSecurityCertificateValidationCallbackHandler extends AbstractCallbackHandler {
+
+    private AuthenticationManager authenticationManager;
+
+    private boolean ignoreFailure = false;
+
+    /** Sets the Spring Security authentication manager. Required. */
+    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
+        this.authenticationManager = authenticationManager;
+    }
+
+    public void setIgnoreFailure(boolean ignoreFailure) {
+        this.ignoreFailure = ignoreFailure;
+    }
+
+    public void afterPropertiesSet() throws Exception {
+        Assert.notNull(authenticationManager, "authenticationManager is required");
+    }
+
+    /**
+     * Handles  <code>CertificateValidationCallback</code>s, and throws an <code>UnsupportedCallbackException</code> for
+     * others
+     *
+     * @throws javax.security.auth.callback.UnsupportedCallbackException
+     *          when the callback is not supported
+     */
+    protected void handleInternal(Callback callback) throws IOException, UnsupportedCallbackException {
+        if (callback instanceof CertificateValidationCallback) {
+            ((CertificateValidationCallback) callback).setValidator(new SpringSecurityCertificateValidator());
+        }
+        else if (callback instanceof CleanupCallback) {
+            SecurityContextHolder.clearContext();
+        }
+        else {
+            throw new UnsupportedCallbackException(callback);
+        }
+    }
+
+    private class SpringSecurityCertificateValidator implements CertificateValidationCallback.CertificateValidator {
+
+        public boolean validate(X509Certificate certificate)
+                throws CertificateValidationCallback.CertificateValidationException {
+            boolean result;
+            try {
+                Authentication authResult =
+                        authenticationManager.authenticate(new X509AuthenticationToken(certificate));
+                if (logger.isDebugEnabled()) {
+                    logger.debug("Authentication request for certificate with DN [" +
+                            certificate.getSubjectX500Principal().getName() + "] successful");
+                }
+                SecurityContextHolder.getContext().setAuthentication(authResult);
+                return true;
+            }
+            catch (AuthenticationException failed) {
+                if (logger.isDebugEnabled()) {
+                    logger.debug("Authentication request for certificate with DN [" +
+                            certificate.getSubjectX500Principal().getName() + "] failed: " + failed.toString());
+                }
+                SecurityContextHolder.clearContext();
+                result = ignoreFailure;
+            }
+            return result;
+        }
+    }
+}