.getSigCrypto(), reqData.getDecCrypto());
}
catch (WSSecurityException ex)
{
log.error(ex);
throw new XFireFault("WSS4JInHandler: security processing failed", ex,
XFireFault.SENDER);
}
if (tlog.isDebugEnabled())
{
t2 = System.currentTimeMillis();
}
if (wsResult == null)
{ // no security header found
if (doAction == WSConstants.NO_SECURITY)
{
return;
}
else
{
log.error("WSS4JInHandler: Request does not contain required Security header");
throw new XFireFault(
"WSS4JInHandler: Request does not contain required Security header",
XFireFault.SENDER);
}
}
if (reqData.getWssConfig().isEnableSignatureConfirmation())
{
checkSignatureConfirmation(reqData, wsResult);
}
/*
* Now we can check the certificate used to sign the message. In the
* following implementation the certificate is only trusted if
* either it itself or the certificate of the issuer is installed in
* the keystore.
*
* Note: the method verifyTrust(X509Certificate) allows custom
* implementations with other validation algorithms for subclasses.
*/
// Extract the signature action result from the action vector
WSSecurityEngineResult actionResult = WSSecurityUtil
.fetchActionResult(wsResult, WSConstants.SIGN);
if (actionResult != null)
{
X509Certificate returnCert = actionResult.getCertificate();
if (returnCert != null)
{
if (!verifyTrust(returnCert, reqData))
{
log.error("WSS4JInHandler: The certificate used for the signature is not trusted");
throw new XFireFault(
"WSS4JInHandler: The certificate used for the signature is not trusted",
XFireFault.SENDER);
}
}
}
/*
* Perform further checks on the timestamp that was transmitted in
* the header. In the following implementation the timestamp is
* valid if it was created after (now-ttl), where ttl is set on
* server side, not by the client.
*
* Note: the method verifyTimestamp(Timestamp) allows custom
* implementations with other validation algorithms for subclasses.
*/
// Extract the timestamp action result from the action vector
actionResult = WSSecurityUtil.fetchActionResult(wsResult, WSConstants.TS);
if (actionResult != null)
{
Timestamp timestamp = actionResult.getTimestamp();
if (timestamp != null)
{
if (!verifyTimestamp(timestamp, decodeTimeToLive(reqData)))
{
log.error("WSS4JInHandler: The timestamp could not be validated");
throw new XFireFault(
"WSS4JInHandler: The timestamp could not be validated",
XFireFault.SENDER);
}
}
}
/*
* now check the security actions: do they match, in right order?
*/
if (!checkReceiverResults(wsResult, actions))
{
log.error("WSS4JInHandler: security processing failed (actions mismatch)");
throw new XFireFault(
"WSS4JInHandler: security processing failed (actions mismatch)",
XFireFault.SENDER);
}
/*