This year started on a good note, another one of those “the deadline won’t change” / “skip all the red tape” / “Wild West” type of projects in which I got to figure out and implement some functionality using some relatively new libraries and tech for a change, well Spring 3 ain’t new but in the Java 5, weblogic 10(.01), Spring 2.5.6 slow corporate kind of world it is all relative.
Due to general time constraints I am not including too much “fluff” in this post, just the nitty gritty of creating and securing a Spring 3 , Spring WS 2 web service using multiple XSDs and LDAP security.
The Code:
The Service Endpoint: ExampleServiceEndpoint
This is the class that will be exposed as web service using the configuration later in the post.
package javaitzen.spring.ws;
import org.springframework.ws.server.endpoint.annotation.Endpoint;
import org.springframework.ws.server.endpoint.annotation.PayloadRoot;
import org.springframework.ws.server.endpoint.annotation.RequestPayload;
import org.springframework.ws.server.endpoint.annotation.ResponsePayload;
import javax.annotation.Resource;
@Endpoint
public class ExampleServiceEndpoint {
private static final String NAMESPACE_URI = "http://www.briandupreez.net";
/**
* Autowire a POJO to handle the business logic
@Resource(name = "businessComponent")
private ComponentInterface businessComponent;
*/
public ExampleServiceEndpoint() {
System.out.println(">> javaitzen.spring.ws.ExampleServiceEndpoint loaded.");
}
@PayloadRoot(localPart = "ProcessExample1Request", namespace = NAMESPACE_URI + "/example1")
@ResponsePayload
public Example1Response processExample1Request(@RequestPayload final Example1 request) {
System.out.println(">> process example request1 ran.");
return new Example1Response();
}
@PayloadRoot(localPart = "ProcessExample2Request", namespace = NAMESPACE_URI + "/example2")
@ResponsePayload
public Example2Response processExample2Request(@RequestPayload final Example2 request) {
System.out.println(">> process example request2 ran.");
return new Example2Response();
}
}
The Code: CustomValidationCallbackHandler
This was my bit of custom code I wrote to extend the AbstactCallbackHandler allowing us to use LDAP.
As per the comments in the CallbackHandler below, it’s probably a good idea to have a cache manager, something like Hazelcast or Ehcache to cache authenticated users, depending on security / performance considerations.
The Digest Validator below can just be used directly from the Sun library, I was just wanted to see how it worked.
package javaitzen.spring.ws;
import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException;
import com.sun.xml.wss.impl.callback.PasswordValidationCallback;
import com.sun.xml.wss.impl.misc.Base64;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
import org.springframework.ws.soap.security.callback.AbstractCallbackHandler;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.util.Properties;
public class CustomValidationCallbackHandler extends AbstractCallbackHandler implements InitializingBean {
private Properties users = new Properties();
private AuthenticationManager ldapAuthenticationManager;
@Override
protected void handleInternal(final Callback callback) throws IOException, UnsupportedCallbackException {
if (callback instanceof PasswordValidationCallback) {
final PasswordValidationCallback passwordCallback = (PasswordValidationCallback) callback;
if (passwordCallback.getRequest() instanceof PasswordValidationCallback.DigestPasswordRequest) {
final PasswordValidationCallback.DigestPasswordRequest digestPasswordRequest =
(PasswordValidationCallback.DigestPasswordRequest) passwordCallback.getRequest();
final String password = users
.getProperty(digestPasswordRequest
.getUsername());
digestPasswordRequest.setPassword(password);
passwordCallback
.setValidator(new CustomDigestPasswordValidator());
}
if (passwordCallback.getRequest() instanceof PasswordValidationCallback.PlainTextPasswordRequest) {
passwordCallback
.setValidator(new LDAPPlainTextPasswordValidator());
}
} else {
throw new UnsupportedCallbackException(callback);
}
}
/**
* Digest Validator.
* This code is directly from the sun class, I was just curious how it worked.
*/
private class CustomDigestPasswordValidator implements PasswordValidationCallback.PasswordValidator {
public boolean validate(final PasswordValidationCallback.Request request) throws PasswordValidationCallback.PasswordValidationException {
final PasswordValidationCallback.DigestPasswordRequest req = (PasswordValidationCallback.DigestPasswordRequest) request;
final String passwd = req.getPassword();
final String nonce = req.getNonce();
final String created = req.getCreated();
final String passwordDigest = req.getDigest();
final String username = req.getUsername();
if (null == passwd)
return false;
byte[] decodedNonce = null;
if (null != nonce) {
try {
decodedNonce = Base64.decode(nonce);
} catch (final Base64DecodingException bde) {
throw new PasswordValidationCallback.PasswordValidationException(bde);
}
}
String utf8String = "";
if (created != null) {
utf8String += created;
}
utf8String += passwd;
final byte[] utf8Bytes;
try {
utf8Bytes = utf8String.getBytes("utf-8");
} catch (final UnsupportedEncodingException uee) {
throw new PasswordValidationCallback.PasswordValidationException(uee);
}
final byte[] bytesToHash;
if (decodedNonce != null) {
bytesToHash = new byte[utf8Bytes.length + decodedNonce.length];
for (int i = 0; i < decodedNonce.length; i++)
bytesToHash[i] = decodedNonce[i];
for (int i = decodedNonce.length;
i < utf8Bytes.length + decodedNonce.length;
i++)
bytesToHash[i] = utf8Bytes[i - decodedNonce.length];
} else {
bytesToHash = utf8Bytes;
}
final byte[] hash;
try {
final MessageDigest sha = MessageDigest.getInstance("SHA-1");
hash = sha.digest(bytesToHash);
} catch (final Exception e) {
throw new PasswordValidationCallback.PasswordValidationException(
"Password Digest could not be created" + e);
}
return (passwordDigest.equals(Base64.encode(hash)));
}
}
/**
* LDAP Plain Text validator.
*/
private class LDAPPlainTextPasswordValidator implements
PasswordValidationCallback.PasswordValidator {
/**
* Validate the callback against the injected LDAP server.
* Probably a good idea to have a cache manager - ehcache / hazelcast injected to cache authenticated users.
*
* @param request the callback request
* @return true if login successful
* @throws PasswordValidationCallback.PasswordValidationException
*
*/
public boolean validate(final PasswordValidationCallback.Request request) throws PasswordValidationCallback.PasswordValidationException {
final PasswordValidationCallback.PlainTextPasswordRequest plainTextPasswordRequest =
(PasswordValidationCallback.PlainTextPasswordRequest) request;
final String username = plainTextPasswordRequest.getUsername();
final Authentication authentication;
final Authentication userPassAuth = new UsernamePasswordAuthenticationToken(username, plainTextPasswordRequest.getPassword());
authentication = ldapAuthenticationManager.authenticate(userPassAuth);
return authentication.isAuthenticated();
}
}
/**
* Assert users.
*
* @throws Exception error
*/
public void afterPropertiesSet() throws Exception {
Assert.notNull(users, "Users is required.");
Assert.notNull(this.ldapAuthenticationManager, "A LDAP Authentication manager is required.");
}
/**
* Sets the users to validate against. Property names are usernames, property values are passwords.
*
* @param users the users
*/
public void setUsers(final Properties users) {
this.users = users;
}
/**
* The the authentication manager.
*
* @param ldapAuthenticationManager the provider
*/
public void setLdapAuthenticationManager(final AuthenticationManager ldapAuthenticationManager) {
this.ldapAuthenticationManager = ldapAuthenticationManager;
}
}
The service config:
The configuration for the Endpoint, CallbackHandler and the LDAP Authentication manager.
The Application Context – Server Side:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:sws="http://www.springframework.org/schema/web-services"
xmlns:s="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/web-services
http://www.springframework.org/schema/web-services/web-services-2.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<sws:annotation-driven/>
<context:component-scan base-package="javaitzen.spring.ws"/>
<sws:dynamic-wsdl id="exampleService"
portTypeName="javaitzen.spring.ws.ExampleServiceEndpoint"
locationUri="/exampleService/"
targetNamespace="http://www.briandupreez.net/exampleService">
<sws:xsd location="classpath:/xsd/Example1Request.xsd"/>
<sws:xsd location="classpath:/xsd/Example1Response.xsd"/>
<sws:xsd location="classpath:/xsd/Example2Request.xsd"/>
<sws:xsd location="classpath:/xsd/Example2Response.xsd"/>
</sws:dynamic-wsdl>
<sws:interceptors>
<bean id="validatingInterceptor"
class="org.springframework.ws.soap.server.endpoint.interceptor.PayloadValidatingInterceptor">
<property name="schema" value="classpath:/xsd/Example1Request.xsd"/>
<property name="validateRequest" value="true"/>
<property name="validateResponse" value="true"/>
</bean>
<bean id="loggingInterceptor"
class="org.springframework.ws.server.endpoint.interceptor.PayloadLoggingInterceptor"/>
<bean class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
<property name="policyConfiguration" value="/WEB-INF/securityPolicy.xml"/>
<property name="callbackHandlers">
<list>
<ref bean="callbackHandler"/>
</list>
</property>
</bean>
</sws:interceptors>
<bean id="callbackHandler" class="javaitzen.spring.ws.CustomValidationCallbackHandler">
<property name="ldapAuthenticationManager" ref="authManager" />
</bean>
<s:authentication-manager alias="authManager">
<s:ldap-authentication-provider
user-search-filter="(uid={0})"
user-search-base="ou=users"
group-role-attribute="cn"
role-prefix="ROLE_">
</s:ldap-authentication-provider>
</s:authentication-manager>
<!-- Example... (inmemory apache ldap service) -->
<s:ldap-server id="contextSource" root="o=example" ldif="classpath:example.ldif"/>
<!--
If you want to connect to a real LDAP server it would look more like:
<s:ldap-server id="contextSource" url="ldap://localhost:7001/o=example" manager-dn="uid=admin,ou=system" manager-password="secret">
</s:ldap-server>-->
<bean id="marshallingPayloadMethodProcessor"
class="org.springframework.ws.server.endpoint.adapter.method.MarshallingPayloadMethodProcessor">
<constructor-arg ref="serviceMarshaller"/>
<constructor-arg ref="serviceMarshaller"/>
</bean>
<bean id="defaultMethodEndpointAdapter"
class="org.springframework.ws.server.endpoint.adapter.DefaultMethodEndpointAdapter">
<property name="methodArgumentResolvers">
<list>
<ref bean="marshallingPayloadMethodProcessor"/>
</list>
</property>
<property name="methodReturnValueHandlers">
<list>
<ref bean="marshallingPayloadMethodProcessor"/>
</list>
</property>
</bean>
<bean id="serviceMarshaller" class="org.springframework.oxm.jaxb.Jaxb2Marshaller">
<property name="classesToBeBound">
<list>
<value>javaitzen.spring.ws.Example1</value>
<value>javaitzen.spring.ws.Example1Response</value>
<value>javaitzen.spring.ws.Example2</value>
<value>javaitzen.spring.ws.Example2Response</value>
</list>
</property>
<property name="marshallerProperties">
<map>
<entry key="jaxb.formatted.output">
<value type="java.lang.Boolean">true</value>
</entry>
</map>
</property>
</bean>
</beans>
The Security Context – Server Side:
xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:RequireTimestamp maxClockSkew="60" timestampFreshnessLimit="300"/>
<!-- Expect plain text tokens from the client -->
<xwss:RequireUsernameToken passwordDigestRequired="false" nonceRequired="false"/>
<xwss:Timestamp/>
<!-- server side reply token -->
<xwss:UsernameToken name="server" password="server1" digestPassword="false" useNonce="false"/>
</xwss:SecurityConfiguration>
The Web XML:
Nothing really special here, just the Spring WS MessageDispatcherServlet.
spring-ws org.springframework.ws.transport.http.MessageDispatcherServlet transformWsdlLocationstrue 1 spring-ws /*
The client config:
To test or use the service you’ll need the following:
The Application Context – Client Side Test:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory"/>
<bean id="webServiceTemplate" class="org.springframework.ws.client.core.WebServiceTemplate">
<constructor-arg ref="messageFactory"/>
<property name="marshaller" ref="serviceMarshaller"/>
<property name="unmarshaller" ref="serviceMarshaller"/>
<property name="defaultUri" value="http://localhost:7001/example/spring-ws/exampleService"/>
<property name="interceptors">
<list>
<ref local="xwsSecurityInterceptor"/>
</list>
</property>
</bean>
<bean id="xwsSecurityInterceptor"
class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
<property name="policyConfiguration" value="testSecurityPolicy.xml"/>
<property name="callbackHandlers">
<list>
<ref bean="callbackHandler"/>
</list>
</property>
</bean>
<!-- As a client the username and password generated by the server must match with the client! -->
<!-- a simple callback handler to configure users and passwords with an in-memory Properties object. -->
<bean id="callbackHandler"
class="org.springframework.ws.soap.security.xwss.callback.SimplePasswordValidationCallbackHandler">
<property name="users">
<props>
<prop key="server">server1</prop>
</props>
</property>
</bean>
<bean id="serviceMarshaller" class="org.springframework.oxm.jaxb.Jaxb2Marshaller">
<property name="classesToBeBound">
<list>
<value>javaitzen.spring.ws.Example1</value>
<value>javaitzen.spring.ws.Example1Response</value>
<value>javaitzen.spring.ws.Example2</value>
<value>javaitzen.spring.ws.Example2Response</value>
</list>
</property>
<property name="marshallerProperties">
<map>
<entry key="jaxb.formatted.output">
<value type="java.lang.Boolean">true</value>
</entry>
</map>
</property>
</bean>
The Security Context – Client Side:
<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:RequireTimestamp maxClockSkew="60" timestampFreshnessLimit="300"/>
<!-- Expect a plain text reply from the server -->
<xwss:RequireUsernameToken passwordDigestRequired="false" nonceRequired="false"/>
<xwss:Timestamp/>
<!-- Client sending to server -->
<xwss:UsernameToken name="example" password="pass" digestPassword="false" useNonce="false"/>
</xwss:SecurityConfiguration>
As usual with Java there can be a couple little nuances when it comes to jars and versions so below is part of the pom I used.
The Dependencies:
3.0.6.RELEASE
2.0.2.RELEASE
org.apache.directory.server
apacheds-all
1.5.5
jar
compile
org.springframework.ws
spring-ws-core
${spring-ws-version}
org.springframework
spring-webmvc
${spring-version}
org.springframework
spring-web
${spring-version}
org.springframework
spring-context
${spring-version}
org.springframework
spring-core
${spring-version}
org.springframework
spring-beans
${spring-version}
org.springframework
spring-oxm
${spring-version}
org.springframework.ws
spring-ws-security
${spring-ws-version}
org.springframework.security
spring-security-core
${spring-version}
org.springframework.security
spring-security-ldap
${spring-version}
org.springframework.ldap
spring-ldap-core
1.3.0.RELEASE
org.apache.ws.security
wss4j
1.5.12
com.sun.xml.wss
xws-security
3.0
org.apache.ws.commons.schema
XmlSchema
1.4.2
</project>
Reference: Spring 3, Spring Web Services 2 & LDAP Security. from our JCG partner Brian Du Preez at the Zen in the art of IT blog.