com.webmethods.caf.wsserver.auth

Class DefaultAuthInterceptor

java.lang.Object

com.webmethods.caf.wsserver.auth.DefaultAuthInterceptor

All Implemented Interfaces:

IWSServerAuthInterceptor, electric.soap.ISOAPInterceptor

public class DefaultAuthInterceptor
extends Object
implements IWSServerAuthInterceptor

Soap header request interceptor that extracts a SAML artifact from the SOAP headers, retrieves a SAML assertion and extracts the asserted user DN if SAML artifact is available.

If allowBasic is set to true, and a SAML artifact isn't available, then fall back to basic auth to the security provider

Constructor Summary

Constructors

Constructor and Description
DefaultAuthInterceptor(boolean allowBasic) Construct request interceptor and require than incoming SOAP messages must contain an artifact in the SOAP header.
DefaultAuthInterceptor(SAMLAssertionValidator samlValidator, electric.security.basic.BasicRealm basicRealmAuthenticator, String securityProviderEndpoint, boolean allowBasic) Construct request interceptor with the specified SAML security provider endpoint URL and specifying whether to enforce the SAML check
DefaultAuthInterceptor(String securityProviderURL) Construct request interceptor with the specified SAML security provider endpoint URL.
DefaultAuthInterceptor(String securityProviderURL, boolean allowBasic) Construct request interceptor with the specified SAML security provider endpoint URL and specifying whether to enforce the SAML check

Method Summary

Modifier and Type	Method and Description
protected boolean	doIntercept() Check if SOAP interception is required If Http session is already asserted, no interception is necessary.
boolean	getAllowAnonymous() Whether this interceptor will allow anonymous access
boolean	getAllowBasic()
String	getAuthenticatedUserDN() Get the user dn of the user associated with the HTTP session of the current thread.
electric.security.basic.BasicRealm	getBasicRealm() If IWSServerAuthInterceptor can be configured to allowBasic, then it must support instantiating one of these
protected HttpSession	getHttpSession()
protected SAMLAssertionValidator	getSamlValidator()
void	intercept(electric.soap.SOAPMessage message, electric.util.Context messageContext) Implementation of ISOAPInterceptor.
protected boolean	isAssertedSession() Does the session contain the flag that we already have an asserted user for this Session
protected void	performIntercept(Element textElement) Perform SOAP interception to verify the SAML assertion received in the SOAP header.
void	setAllowAnonymous(boolean allowAnonymous) Whether this interceptor will allow anonymous access
void	setAllowBasic(boolean allowBasic) Modify the enforce allowBasic to verify SAML artifact.
protected void	setAsserted(boolean asserted) Set a value into the current session to flag that we have an asserted user and don't require validation on subsequent requests
protected void	setSessionUser(String username) Store the name of the asserted user in the Session

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DefaultAuthInterceptor

public DefaultAuthInterceptor(boolean allowBasic)

Construct request interceptor and require than incoming SOAP messages must contain an artifact in the SOAP header.

Parameters:

allowBasic - whether or not to allow fall back to basic auth

DefaultAuthInterceptor

public DefaultAuthInterceptor(String securityProviderURL)

Construct request interceptor with the specified SAML security provider endpoint URL. The presence of a SAML artifact in the SOAP header is not required.

Parameters:

securityProviderURL - - The URL of the SAML security provider web service as a String

DefaultAuthInterceptor

public DefaultAuthInterceptor(String securityProviderURL,
                              boolean allowBasic)

Construct request interceptor with the specified SAML security provider endpoint URL and specifying whether to enforce the SAML check

Parameters:

securityProviderURL - - The URL of the SAML security provider web service as a String

allowBasic - whether or not to allow fall back to basic auth

DefaultAuthInterceptor

public DefaultAuthInterceptor(SAMLAssertionValidator samlValidator,
                              electric.security.basic.BasicRealm basicRealmAuthenticator,
                              String securityProviderEndpoint,
                              boolean allowBasic)

Construct request interceptor with the specified SAML security provider endpoint URL and specifying whether to enforce the SAML check

Method Detail

intercept

public void intercept(electric.soap.SOAPMessage message,
                      electric.util.Context messageContext)

Implementation of ISOAPInterceptor. This method intercepts the inbound SOAP message to retrieve the SAML artifact header element.

Specified by:

intercept in interface electric.soap.ISOAPInterceptor

Parameters:

message - the SOAPMessage object.

messageContext - the context related to the SOAP message.

getBasicRealm

public electric.security.basic.BasicRealm getBasicRealm()

Description copied from interface: IWSServerAuthInterceptor

If IWSServerAuthInterceptor can be configured to allowBasic, then it must support instantiating one of these

Specified by:

getBasicRealm in interface IWSServerAuthInterceptor

setAllowBasic

public void setAllowBasic(boolean allowBasic)

Modify the enforce allowBasic to verify SAML artifact. A true value forces SAML artifact handling always. Otherwise the handling is done only if the artifact is present.

Specified by:

setAllowBasic in interface IWSServerAuthInterceptor

Parameters:

allowBasic - boolean set to true if SAML artifact verification is enforced, false otherwise.

getAllowBasic

public boolean getAllowBasic()

Specified by:

getAllowBasic in interface IWSServerAuthInterceptor

Returns:

whether this allows basic auth

getAllowAnonymous

public boolean getAllowAnonymous()

Whether this interceptor will allow anonymous access

Specified by:

getAllowAnonymous in interface IWSServerAuthInterceptor

setAllowAnonymous

public void setAllowAnonymous(boolean allowAnonymous)

Whether this interceptor will allow anonymous access

Specified by:

setAllowAnonymous in interface IWSServerAuthInterceptor

doIntercept

protected boolean doIntercept()

Check if SOAP interception is required If Http session is already asserted, no interception is necessary.

Returns:

true if this SOAP message requires intercept (the Session doesn't contain an asserted user)

performIntercept

protected void performIntercept(Element textElement)

Perform SOAP interception to verify the SAML assertion received in the SOAP header.

getSamlValidator

protected SAMLAssertionValidator getSamlValidator()

getAuthenticatedUserDN

public String getAuthenticatedUserDN()

Get the user dn of the user associated with the HTTP session of the current thread. However, if BasicAuth is used then you will only get a uid

Specified by:

getAuthenticatedUserDN in interface IWSServerAuthInterceptor

Returns:

String m_name of the user

setAsserted

protected void setAsserted(boolean asserted)

Set a value into the current session to flag that we have an asserted user and don't require validation on subsequent requests

setSessionUser

protected void setSessionUser(String username)

Store the name of the asserted user in the Session

isAssertedSession

protected boolean isAssertedSession()

Does the session contain the flag that we already have an asserted user for this Session

getHttpSession

protected HttpSession getHttpSession()

Returns:

the HTTP session associated with the current thread.