Validate security in an Inbound SOAPMessage.
Calling code should create com.sun.xml.wss.ProcessingContext object with
runtime properties. Specifically, it should set SecurityPolicy, application
CallbackHandler Or a SecurityEnvironment and static security policy context.
The SecurityPolicy instance can be of the following types:
- A concrete WSSPolicy
- A MessagePolicy
- A DynamicSecurityPolicy
A DynamicSecurityPolicy can inturn resolve to the following:
- A concrete WSSPolicy
- A MessagePolicy
For cases when policy resolution does not happen accurately because the
identification context was not available - for eg. operation name in
the message is encrypted - resolution can happen to the enclosing
container configuration.
Policy resolution can happen as follows:
(a). Constructed StaticPolicyContext - identifying context associated with
configured security policies - is used for look-up of configured
MessagePolicy/DynamicSecurityPolicy/WSSPolicy instances
(b). NOTE: Relevant only when the SecurityPolicy is an ApplicationSecurityConfiguration, or the
root element of the Security Configuration file that was used to generate the SecurityPolicy is
<xwss:JAXRPCSecurity>
In case an identifying context can not be constructed because such
context has partly to be inferred from the message (for eg. operation
name contained as the element name of SOAPBody), the resolved container
configuration is used as follows:
If C = {p1, p2....pn}
where pi belongs to collection of MessagePolicies held by the container.
an in-bound message is processed without application of a policy, whence
a policy representation of the metadata contained in the security header
is constructed as each header element is processed (iteration).
If P be such policy (MessagePolicy) that gets built upon each iteration, C
is reduced as follows:
redux (P, C, M)
where M is the SOAPMessage and
redux:
(1). eliminate all pi that are not loosely semantically equivalent where
the equivalence is checked as follows:
(a). SignaturePolicy: equivalence of FeatureBinding and KeyBinding
excepting target bindings contained in its
FeatureBinding
(b). EncryptionPolicy: equivalence of FeatureBinding and KeyBinding
excepting target bindings contained in its
FeatureBinding
(c). AuthenticationTokenPolicy: equivalence of Feature and Key Bindings
(2). eliminate all pi whose target bindings contained with the FeatureBindings
are applicable to the message. Note that all required message parts should
be apparent post-processing, therefore, equivalence of target bindings
would be checked by comparison of Node sets of SOAPMessage constructed
using the inferred and those contained in C.
After every such reduction, an attempt is made to resolve the policy identifier
(operation name) that can be used for policy resolution, which should be contained
in C and is used further for message processing.
Parameters: context - an instance of com.sun.xml.wss.ProcessingContext exception: com.sun.xml.wss.XWSSecurityException - if there was an unexpected errorwhile verifying the message. OR if the security in the incomingmessage violates the Security policy that was applied to the message. exception: WssSoapFaultException - when security in the incoming messageis in direct violation of the OASIS WSS specification.When a WssSoapFaultException is thrown the getFaultCode() method on the WssSoapFaultExceptionwill return a QName which would correspond to the WSS defined fault. |