Published on WSO2 Oxygen Tank (http://wso2.org)

How can I obtain UsernameToken information at the service?

By ruchith
Created 2006-06-13 03:00

When Apache Rampart(Axis2 module that provides WS-Security and WS-SecureConversation support)/WSS4J is used to secure Web services in Axis2/Axis1.x we can extract the results of security processing at any state of the execution flow. Apache Rampart/ WSS4J stores the results of security processing in the message context under the key WSHandlerConstants.RECV_RESULTS. This is a java.util.Vector of WSHandlerResult which holds the security processing results of a "Security" header of a certain actor. If there is only one "Security" header there will only be a single WSHandlerResult instance in the java.util.Vector instance. A WSHandlerResult instance contains another java.util.Vector instance which contains WSSecurityEngineResult instances. These WSSecurityEngineResult instances carries the results of security processing of a particular "Security" header. The following code snippet show how to extract WSSecurityEngineResult instances from the message context. Note: msgCtx is the message context instance. 

Vector results = null;
if ((results = (Vector) msgCtx
		.getProperty(WSHandlerConstants.RECV_RESULTS)) == null) {
	throw new RuntimeException("No security results!!");
} else {
	for (int i = 0; i < results.size(); i++) {
		//Get hold of the WSHandlerResult instance
		WSHandlerResult rResult = (WSHandlerResult) results.get(i);
		Vector wsSecEngineResults = rResult.getResults();

		for (int j = 0; j < wsSecEngineResults.size(); j++) {
			//Get hold of the WSSecurityEngineResult instance
			WSSecurityEngineResult wser = (WSSecurityEngineResult)
wsSecEngineResults.get(j);

		}
	}
}

In the case where we have a single UsernameToken in a Security header there will be one WSSecurityEngineResult instance and one can extract UsernameToken information from it as shown below: 

//Extract the principal
WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal)
wser.getPrincipal();

//Get user/pass
String user = principal.getName();
String passwd = principal.getPassword();

This is very useful in the case where we use Apache Rampart/ WSS4J to process an incoming UsernameToken which bares a plain text password, since Apache Rampart/WSS4J does not authenticate the UsernameToken. Therefore one can authenticate the user at a handler or the service implementation (from anywhere that one can access the message context of the message that carried the UsernameToken).

Applies To:

Source URL:
http://wso2.org/library/169