How can I obtain UsernameToken information at the service?

When Apache Rampart(Axis2 module that provides WS-Security and WS-SecureConversation support)/WSS4J is used to secure Web services in Axis2/Axis1.x we can extract the results of security processing at any state of the execution flow.
Date: Tue, 13th Jun, 2006
Level:
Reads: 8882 Comments: 0 | Login or register to post comments
Ruchith Fernando
Software Engineer
WSO2 Inc.
Apache Rampart/ WSS4J stores the results of security processing in the message context under the key WSHandlerConstants.RECV_RESULTS. This is a java.util.Vector of WSHandlerResult which holds the security processing results of a "Security" header of a certain actor. If there is only one "Security" header there will only be a single WSHandlerResult instance in the java.util.Vector instance. A WSHandlerResult instance contains another java.util.Vector instance which contains WSSecurityEngineResult instances. These WSSecurityEngineResult instances carries the results of security processing of a particular "Security" header. The following code snippet show how to extract WSSecurityEngineResult instances from the message context. Note: msgCtx is the message context instance. 
Vector results = null;
if ((results = (Vector) msgCtx
		.getProperty(WSHandlerConstants.RECV_RESULTS)) == null) {
	throw new RuntimeException("No security results!!");
} else {
	for (int i = 0; i < results.size(); i++) {
		//Get hold of the WSHandlerResult instance
		WSHandlerResult rResult = (WSHandlerResult) results.get(i);
		Vector wsSecEngineResults = rResult.getResults();

		for (int j = 0; j < wsSecEngineResults.size(); j++) {
			//Get hold of the WSSecurityEngineResult instance
			WSSecurityEngineResult wser = (WSSecurityEngineResult)
wsSecEngineResults.get(j);

		}
	}
}
In the case where we have a single UsernameToken in a Security header there will be one WSSecurityEngineResult instance and one can extract UsernameToken information from it as shown below: 
//Extract the principal
WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal)
wser.getPrincipal();

//Get user/pass
String user = principal.getName();
String passwd = principal.getPassword();
This is very useful in the case where we use Apache Rampart/ WSS4J to process an incoming UsernameToken which bares a plain text password, since Apache Rampart/WSS4J does not authenticate the UsernameToken. Therefore one can authenticate the user at a handler or the service implementation (from anywhere that one can access the message context of the message that carried the UsernameToken).

Applies To:

  • Apache WSS4J and Apache Rampart/Java
  • JDK - 1.4, 1.5
library project main code
Popular Content
Learn Cloud
Learn
Cloud

How to deploy a web application in StratosLive using Carbon Studio
The WSO2 Application Server is a reliable application server that can host your enterprise web applications. The WSO2 Application Server as a Service is offered in StratosLive, the WSO2 Platform as a Service. This article explains how a simple web application can be developed and deployed from Carbon Studio to the WSO2 Application Server...
more>

Latest Webinar
KPI definition with Business Activity Monitor 2.0
Different groups within an organization need to monitor different Key Performance Indicators (KPIs) - An operations team will be interested in the response times of business services and loads of each service,..
Thursday, February 9th 2012, 09.00 AM (PST)
Register Now!

Thursday, February 9th 2012, 10.00 AM (GMT)
Register Now!