import org.apache.cxf.binding.soap.interceptor.SoapHeaderInterceptor;import org

1. import org.apache.cxf.binding.soap.interceptor.SoapHeaderInterceptor;
2. import org.apache.cxf.configuration.security.AuthorizationPolicy;
3. import org.apache.cxf.endpoint.Endpoint;
4. import org.apache.cxf.interceptor.Fault;
5. import org.apache.cxf.message.Exchange;
6. import org.apache.cxf.message.Message;
7. import org.apache.cxf.transport.Conduit;
8. import org.apache.cxf.ws.addressing.EndpointReferenceType;
9. import org.slf4j.Logger;
10. import org.slf4j.LoggerFactory;
11.  
12. import java.io.IOException;
13. import java.io.OutputStream;
14. import java.net.HttpURLConnection;
15. import java.util.Arrays;
16. import java.util.Map;
17.  
18. public class BasicAuthAuthorizationInterceptor extends SoapHeaderInterceptor {
19.  
20. protected static final Logger log = LoggerFactory.getLogger(BasicAuthAuthorizationInterceptor.class);
21.  
22. @Override
23. public void handleMessage(Message message) throws Fault {
24. SecurityContextHolder.clear();
25. // This is set by CXF
26. AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
27. // If the policy is not set, the user did not specify
28. // credentials. A 401 is sent to the client to indicate
29. // that authentication is required
30. if (policy == null) {
31. sendErrorResponse(message, HttpURLConnection.HTTP_UNAUTHORIZED);
32. return;
33. }
34. // Verify the password
35. String realPassword = getAcualPassword(policy.getUserName());
36. if (realPassword == null || !realPassword.equals(policy.getPassword())) {
37. log.warn("Invalid username or password for user: " + policy.getUserName());
38. sendErrorResponse(message, HttpURLConnection.HTTP_FORBIDDEN);
39. }
40. SecurityContextHolder.setPrincipal(policy.getUserName());
41. }
42.  
43. private String getAcualPassword(String userName) {
44. return "password";
45. }
46.  
47. private void sendErrorResponse(Message message, int responseCode) {
48. Message outMessage = getOutMessage(message);
49. outMessage.put(Message.RESPONSE_CODE, responseCode);
50. // Set the response headers
51. Map responseHeaders = (Map) message.get(Message.PROTOCOL_HEADERS);
52. if (responseHeaders != null) {
53. responseHeaders.put("WWW-Authenticate", Arrays.asList(new String[]{"Basic realm=realm"}));
54. responseHeaders.put("Content-length", Arrays.asList(new String[]{"0"}));
55. }
56. message.getInterceptorChain().abort();
57. try {
58. getConduit(message).prepare(outMessage);
59. close(outMessage);
60. } catch (IOException e) {
61. log.warn(e.getMessage(), e);
62. }
63. }
64.  
65. private Message getOutMessage(Message inMessage) {
66. Exchange exchange = inMessage.getExchange();
67. Message outMessage = exchange.getOutMessage();
68. if (outMessage == null) {
69. Endpoint endpoint = exchange.get(Endpoint.class);
70. outMessage = endpoint.getBinding().createMessage();
71. exchange.setOutMessage(outMessage);
72. }
73. outMessage.putAll(inMessage);
74. return outMessage;
75. }
76.  
77. private Conduit getConduit(Message inMessage) throws IOException {
78. Exchange exchange = inMessage.getExchange();
79. EndpointReferenceType target = exchange.get(EndpointReferenceType.class);
80. Conduit conduit = exchange.getDestination().getBackChannel(inMessage, null, target);
81. exchange.setConduit(conduit);
82. return conduit;
83. }
84.  
85. private void close(Message outMessage) throws IOException {
86. OutputStream os = outMessage.getContent(OutputStream.class);
87. os.flush();
88. os.close();
89. }
90. }