Wss4jSecurityInterceptor, don't remove Security Header. [SWS-884]

[gregturn]

Jimmy Selgen Nielsen opened SWS-884 and commented

When Wss4jSecurityInterceptor.validateMessage successfully validates an incoming message, it automatically removes the Security element from the SOAP header.

It would be nice to have an option to disable this functionality, so that the Security Element is left intact, so that the elements contained within (mainly X.509 certificates) can be accessed later on.

There's one line of code to "change" - Wss4jSecurityInterceptor.java:634:
soapMessage.getEnvelope().getHeader().removeHeaderElement(WS_SECURITY_NAME);

---

Affects: 2.2.0.RELEASE

Referenced from: commits 25408a7, 4ce9e67

[gregturn]

jaminh commented

You should be able to access that from the MessageContext like so, messageContext.getProperty(WSHandlerConstants.RECV_RESULTS);

That will return a List<WSHandlerResult>. Each WSHandlerResult contains a List<WSSecurityEngineResult>. You will need to go through each WSSecurityEngineResult and find one that contains a key of WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN. The value associated with that key should get you the X509 certificate you are looking for. It is kind of a convoluted way of getting it but that should work for you.

[gregturn]

Jimmy Selgen Nielsen commented

I guess my real problem is, that when I try to fetch the WS-Security header, Apache Camel has taken over, and the messageContext is nowhere to be found. It has been replaced by an Exchange object, which is created from the messageContext.
I guess I should raise the issue with Apache Camel instead.

Thanks.

[gregturn]

Greg Turnquist commented

@Jimmy I can put in a flag that lets you disable this default behavior and leave the security header intact. Would that help, or is Apache Camel still an issue?

[gregturn]

Jimmy Selgen Nielsen commented

@Greg I'm currently getting around this issue by using my own Wss4JSecurityInterceptor, where I've commented out that line, The only thing I need from the header is access to the embedded X.509v3 certificate, so that I can pass it along with the message, so yes, it would solve it for me, but I'm not in a position to say if its the right way of doing it.

Camel removes the WSHandlerResult list when it creates its CamelContext from the MassageContext, and ive raised an issue with Camel on this.

[gregturn]

Greg Turnquist commented

I've coded a patch to hold onto the security header, and asked Arjen to review my edits when possible.

[gregturn]

Greg Turnquist commented

Added option to configure Wss4jSecurityInterceptor to hold onto security headers.