/** * Enriches the given audit dataset with elements from the XUA token (SAML2 assertion) * contained in the given CXF message. * * @param message source CXF message. * @param headerDirection direction of the header containing the SAML2 assertion. * @param auditDataset target ATNA audit dataset. */ protected static void enrichAuditDatasetFromXuaToken( SoapMessage message, Header.Direction headerDirection, WsAuditDataset auditDataset) { xuaProcessor.enrichAuditDatasetFromXuaToken(message, headerDirection, auditDataset); }
/** * Constructor. */ public AuditInRequestInterceptor(AuditStrategy<T> auditStrategy, AuditContext auditContext, WsTransactionConfiguration<T> wsTransactionConfiguration) { super(Phase.UNMARSHAL, auditStrategy, auditContext); addAfter(DocLiteralInInterceptor.class.getName()); this.wsTransactionConfiguration = wsTransactionConfiguration; }
/** * Constructor. */ public AuditOutRequestInterceptor( AuditStrategy<T> auditStrategy, AuditContext auditContext, AsynchronyCorrelator<T> correlator, WsTransactionConfiguration<T> wsTransactionConfiguration) { super(Phase.PRE_PROTOCOL_ENDING, auditStrategy, auditContext); addAfter(OutPayloadExtractorInterceptor.class.getName()); this.correlator = correlator; this.wsTransactionConfiguration = wsTransactionConfiguration; }
@Override protected void process(SoapMessage message) { if (isGET(message)) { return; } T auditDataset = getAuditDataset(message); extractAddressesFromServletRequest(message, auditDataset); enrichAuditDatasetFromXuaToken(message, Header.Direction.DIRECTION_IN, auditDataset); // TODO Also extract basic auth user? extractClientCertificateCommonName(message, auditDataset); if (wsTransactionConfiguration.isAuditRequestPayload()) { auditDataset.setRequestPayload(message.getContent(StringPayloadHolder.class)); } getAuditStrategy().enrichAuditDatasetFromRequest(auditDataset, extractPojo(message), message); }
@Override protected void process(SoapMessage message) { if (isGET(message)) { return; } T auditDataset = getAuditDataset(message); auditDataset.setRemoteAddress((String) message.get(Message.ENDPOINT_ADDRESS)); auditDataset.setDestinationUserId((String) message.get(Message.ENDPOINT_ADDRESS)); enrichAuditDatasetFromXuaToken(message, Header.Direction.DIRECTION_OUT, auditDataset); Object request = extractPojo(message); // Get request payload, handle different variants thereby: // a) for HL7v3-based transactions, payload corresponds to the "main" message; // b) for ebXML-based transactions, rely on the {@link OutPayloadExtractorInterceptor}. if (wsTransactionConfiguration.isAuditRequestPayload()) { if (request instanceof String) { auditDataset.setRequestPayload((String) request); } else { auditDataset.setRequestPayload(message.getContent(StringPayloadHolder.class)); } } getAuditStrategy().enrichAuditDatasetFromRequest(auditDataset, request, message); // when the invocation is asynchronous: store audit dataset into the correlator AddressingProperties props = (AddressingProperties) message.get(JAXWSAConstants.ADDRESSING_PROPERTIES_OUTBOUND); if (props != null && (Boolean.TRUE.equals(message.getContextualProperty(AsynchronyCorrelator.FORCE_CORRELATION)) || ! Names.WSA_ANONYMOUS_ADDRESS.equals(props.getReplyTo().getAddress().getValue()))) { correlator.storeAuditDataset(props.getMessageID().getValue(), auditDataset); } }
@Override protected void process(SoapMessage message) { if (isGET(message)) { return; Object response = extractPojo(message); AuditStrategy<T> auditStrategy = getAuditStrategy(); if (! auditStrategy.isAuditableResponse(response)) { return; auditDataset = getAuditDataset(message); extractUserIdFromWSAddressing( message, isClient(asyncReceiver, serverSide), serverSide, auditDataset); || (response == null)) auditDataset.setEventOutcomeIndicator(EventOutcomeIndicator.SeriousFailure); } else { auditStrategy.enrichAuditDatasetFromResponse(auditDataset, response, getAuditContext()); auditStrategy.doAudit(getAuditContext(), auditDataset);
/** * Extracts service URI and client IP address from the servlet request. */ protected static void extractAddressesFromServletRequest( SoapMessage message, WsAuditDataset auditDataset) { HttpServletRequest request = (HttpServletRequest) message.get(AbstractHTTPDestination.HTTP_REQUEST); auditDataset.setRemoteAddress(request.getRemoteAddr()); auditDataset.setLocalAddress(request.getServerName()); // #238 auditDataset.setDestinationUserId(request.getRequestURL().toString()); }
protected void configureInterceptors(ServerFactoryBean svrFactory) { super.configureInterceptors(svrFactory); // install auditing-related interceptors if the user has not switched auditing off if (auditStrategy != null) { if (wsTransactionConfiguration.isAuditRequestPayload()) { svrFactory.getInInterceptors().add(new InPayloadExtractorInterceptor(SOAP_BODY)); } svrFactory.getInInterceptors().add(new AuditInRequestInterceptor<>( auditStrategy, auditContext, wsTransactionConfiguration)); AuditResponseInterceptor<AuditDatasetType> auditInterceptor = new AuditResponseInterceptor<>(auditStrategy, auditContext, true, null, false); svrFactory.getOutInterceptors().add(auditInterceptor); svrFactory.getOutFaultInterceptors().add(auditInterceptor); } }
@Override protected void configureInterceptors(Client client) { super.configureInterceptors(client); // install auditing-related interceptors if the user has not switched auditing off if (auditStrategy != null) { if (wsTransactionConfiguration.isAuditRequestPayload()) { installPayloadInterceptors(client); } client.getOutInterceptors().add(new AuditOutRequestInterceptor<>( auditStrategy, auditContext, correlator, getWsTransactionConfiguration())); AuditResponseInterceptor<AuditDatasetType> auditInterceptor = new AuditResponseInterceptor<>(auditStrategy, auditContext, false, correlator, false); client.getInInterceptors().add(auditInterceptor); client.getInFaultInterceptors().add(auditInterceptor); } } }
@Override protected void configureInterceptors(ServerFactoryBean svrFactory) { super.configureInterceptors(svrFactory); // install auditing-related interceptors if the user has not switched auditing off if (auditStrategy != null) { if (wsTransactionConfiguration.isAuditRequestPayload()) { svrFactory.getInInterceptors().add(new InPayloadExtractorInterceptor(SOAP_BODY)); } AuditResponseInterceptor<AuditDatasetType> auditInterceptor = new AuditResponseInterceptor<>(auditStrategy, auditContext,false, correlator, true); svrFactory.getInInterceptors().add(auditInterceptor); svrFactory.getInFaultInterceptors().add(auditInterceptor); } } }
auditDataset.setSourceUserId(address.getValue()); if (auditDataset.getSourceUserId() == null) { LOG.info("Missing WS-Addressing headers"); auditDataset.setSourceUserId("unknown");
/** * Returns an audit dataset instance which corresponds to the given message. * <p> * When no such instance is currently associated with the message, a new one * will be created by means of the corresponding {@link AuditStrategy} * and registered in the message's exchange. * * @param message CXF message currently handled by this interceptor. * @return an audit dataset instance, or <code>null</code> when this instance * could be neither obtained nor created from scratch. */ protected T getAuditDataset(SoapMessage message) { T auditDataset = InterceptorUtils.findContextualProperty(message, DATASET_CONTEXT_KEY); if (auditDataset == null) { auditDataset = getAuditStrategy().createAuditDataset(); if (auditDataset == null) { LOG.warn("Cannot obtain audit dataset instance, NPE is pending"); return null; } message.getExchange().put(DATASET_CONTEXT_KEY, auditDataset); } return auditDataset; }
/** * Extract TLS information from servlet request, if available */ protected static void extractClientCertificateCommonName( SoapMessage message, WsAuditDataset auditDataset) { TLSSessionInfo request = message.get(TLSSessionInfo.class); if (request != null) { Certificate[] certificates = request.getPeerCertificates(); if (certificates != null && certificates.length > 0) { try { X509Certificate certificate = (X509Certificate) certificates[0]; Principal principal = certificate.getSubjectDN(); String dn = principal.getName(); LdapName ldapDN = new LdapName(dn); for (Rdn rdn : ldapDN.getRdns()) { if (rdn.getType().equalsIgnoreCase("CN")) { auditDataset.setSourceUserName((String) rdn.getValue()); break; } } } catch (Exception e) { LOG.info("Could not extract CN from client certificate", e); } } } }
@Override protected void configureInterceptors(Client client) { super.configureInterceptors(client); client.getEndpoint().getService().setDataBinding(new PlainXmlDataBinding()); if (auditStrategy != null) { AuditResponseInterceptor<Hl7v3AuditDataset> auditInterceptor = new AuditResponseInterceptor<>(auditStrategy, auditContext, true, null, false); client.getOutInterceptors().add(auditInterceptor); client.getOutFaultInterceptors().add(auditInterceptor); } } }