How to access user credentials from EndPoint class

[kkelleher]

Hi,

How do you access the security token/ user principal from a Spring-WS endpoint?

I downloaded spring-ws-2.0.4.RELEASE and got the tutorial project ( in samples) working. Next I added security, via a custom validation handler, and that also works.

My soap request looks as follows

Code:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sch="http://education.gov.ie/ppod/schemas">
   <soapenv:Header>
       <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
           <wsse:UsernameToken>
               <wsse:Username>Bert</wsse:Username> 
               <wsse:Password>Bert</wsse:Password> 
           </wsse:UsernameToken>
       </wsse:Security>
   </soapenv:Header> 
   <soapenv:Body>
      <sch:LookupSchoolRequest/>
   </soapenv:Body>
</soapenv:Envelope>

My endpoint looks as follows

Code:

@Endpoint
public class MyEndpoint {

    private static final String NAMESPACE_URI = "http://mycompany.com/hr/schemas";
    
    private MyService myService;
    
    @Autowired
    public MyEndpoint(MyService myService) {
        this.myService = myService;
    }
    
    
    @PayloadRoot(namespace = NAMESPACE_URI, localPart = "LookupSchoolRequest")
    public @ResponsePayload LookupSchoolResponse  handleLookupSchoolRequest(@RequestPayload LookupSchoolRequest lookupSchoolRequest  ) throws Exception {
    	//TODO : Pass on username to service
    	return  myService.getLookupSchoolResponse();
    	
    }
}

Now I want to pass the username into myService as it is used to determine what data is returned. So how do I do it?

Among things I tried

• I added a SoapHeader parameter to the handler method. It does not look possible to access the username token from SoapHeader. I streamed the soapHeader source into a String & saw nothing relating to the token.

Any help greatly appreciated, Thanks in advance.

Kevin

[kkelleher]

Hi,

Further testing today indicates to me that one cannot get access to the userNameToken using spring's SoapHeader.

Any ideas? I really could use some direction here. I'd hate to have to write bespoke security tags in the header to get around this. I'm sure I can't be the first to experience this problwm.

Thanks in advance,
Kevin

[kkelleher]

All,

I'm really blowing hard on this one.

A further update is that if I turn off my security interceptor, I can access the username is the SoapHeader.
As previously if I turn on my security interceptor, I can't access the username in the SoapHeader.

Does the interceptor strip out this info from the header?

Code:

    @PayloadRoot(namespace = NAMESPACE_URI, localPart = "LookupSchoolRequest")
    public @ResponsePayload LookupSchoolResponse  handleLookupSchoolRequest(@RequestPayload LookupSchoolRequest lookupSchoolRequest, 
    		SoapHeader soapHeader  ) throws Exception {
    	
    	//String userName = getUserName( soapHeader);
    	//String userName = getAuthenticatedUserName();

    	return  ppodSynchService.getLookupSchoolResponse( schoolRollNo);
    	
    }
    
    
    
    
    //May not be needed at all if I sort out the security bit .... only work if security interceptor disabled.
    private String getUserName( SoapHeader soapHeader) throws Exception{
    	
    	 //TODO : KK : Trash code to get username from header. Do properly later if needed ....
    	
        final StringWriter requestXmlWriter = new StringWriter();
    	final Transformer trans = TransformerFactory.newInstance().newTransformer();
    	trans.transform(soapHeader.getSource(), new StreamResult(requestXmlWriter));
    	final String requestXml = requestXmlWriter.toString();
    	//System.out.println("KK : request XML" + requestXml);
    	int startIndex = requestXml.indexOf("<wsse:Username>");
    	int endIndex = requestXml.indexOf("</wsse:Username>");
    	//System.out.println("KK : request XML sub string - " + requestXml.substring(startIndex + "<wsse:Username>".length() , endIndex));

    	return requestXml.substring(startIndex + "<wsse:Username>".length() , endIndex);
    }

    //Doesn't work ..... null pointer exeception thrown on line that gets principal ...
    private String getAuthenticatedUserName(){
    	
    	String username;
    	Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();

    	if (principal instanceof UserDetails) {
    	  username = ((UserDetails)principal).getUsername();
    	} else {
    	  username = principal.toString();
    	}
    	
    	return username;
    }

Regards,
Kevin

[ndewet]

Hi Kevin,

I experienced the same problem as you (the security credentials dissapearing and it being associated with XwsSecurityInterceptor).

Although suboptimal when it came to my needs, I ended up having XwsSecurityInterceptor as the final interceptor, just so I could get the username from the SOAP header.

My use case had to do with monitoring the hits / sec per username.

Cheers,
Nico

[kkelleher]

Cheers Nico,

I'm thinking this has to be a spring bug. What's your opinion?

Kevin

BTW, Thanks for the "heads up" re the interceptor chain. From what you say, it looks like the order in which the interceptors are executed is the order in which they appears in the config file.

[ndewet]

I'm thinking this has to be a spring bug. What's your opinion?

It could be by design, uncertain. The main developer or documentation or source will have to tell us.

BTW, Thanks for the "heads up" re the interceptor chain. From what you say, it looks like the order in which the interceptors are executed is the order in which they appears in the config file.

Yes that is what I experienced.