You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/01/17 15:56:09 UTC
svn commit: r1559126 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/
systests/ws-sec...
Author: coheigea
Date: Fri Jan 17 14:56:09 2014
New Revision: 1559126
URL: http://svn.apache.org/r1559126
Log:
Allow returning Replay Attack messages
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1559126&r1=1559125&r2=1559126&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Fri Jan 17 14:56:09 2014
@@ -801,11 +801,11 @@ public class WSS4JInInterceptor extends
private SoapFault
createSoapFault(SoapVersion version, WSSecurityException e) {
SoapFault fault;
- javax.xml.namespace.QName faultCode = e.getFaultCode();
- String errorMessage = WSS4JUtils.mapFaultCodeToMessage(faultCode);
+ String errorMessage = WSS4JUtils.getSafeExceptionMessage(e);
if (errorMessage == null) {
errorMessage = e.getMessage();
}
+ javax.xml.namespace.QName faultCode = e.getFaultCode();
if (version.getVersion() == 1.1 && faultCode != null) {
fault = new SoapFault(errorMessage, e, faultCode);
} else {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java?rev=1559126&r1=1559125&r2=1559126&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java Fri Jan 17 14:56:09 2014
@@ -41,6 +41,7 @@ import org.apache.cxf.ws.security.tokens
import org.apache.cxf.ws.security.tokenstore.TokenStoreFactory;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.cache.ReplayCacheFactory;
+import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
@@ -231,10 +232,18 @@ public final class WSS4JUtils {
}
/**
- * Map a standard FaultCode QName to a standard error String
+ * Map a WSSecurityException FaultCode to a standard error String, so as not to leak
+ * internal configuration to an attacker.
*/
- public static String mapFaultCodeToMessage(QName faultCode) {
+ public static String getSafeExceptionMessage(WSSecurityException ex) {
+ // Allow a Replay Attack message to be returned, otherwise it could be confusing
+ // for clients who don't understand the default caching functionality of WSS4J/CXF
+ if (ex.getMessage() != null && ex.getMessage().contains("replay attack")) {
+ return ex.getMessage();
+ }
+
String errorMessage = null;
+ QName faultCode = ex.getFaultCode();
if (WSConstants.UNSUPPORTED_SECURITY_TOKEN.equals(faultCode)) {
errorMessage = UNSUPPORTED_TOKEN_ERR;
} else if (WSConstants.UNSUPPORTED_ALGORITHM.equals(faultCode)) {
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java?rev=1559126&r1=1559125&r2=1559126&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java Fri Jan 17 14:56:09 2014
@@ -150,7 +150,7 @@ public class ActionTest extends Abstract
port.doubleIt(25);
fail("Failure expected on a replayed UsernameToken");
} catch (javax.xml.ws.soap.SOAPFaultException ex) {
- String error = "An error was discovered processing the <wsse:Security> header.";
+ String error = "A replay attack has been detected";
assertTrue(ex.getMessage().contains(error));
}
@@ -212,7 +212,7 @@ public class ActionTest extends Abstract
port.doubleIt(25);
fail("Failure expected on a replayed Timestamp");
} catch (javax.xml.ws.soap.SOAPFaultException ex) {
- String error = "An error was discovered processing the <wsse:Security> header.";
+ String error = "A replay attack has been detected";
assertTrue(ex.getMessage().contains(error));
}
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1559126&r1=1559125&r2=1559126&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java Fri Jan 17 14:56:09 2014
@@ -953,9 +953,8 @@ public class SamlTokenTest extends Abstr
saml2Port.doubleIt(25);
fail("Failure expected on a replayed SAML Assertion");
} catch (javax.xml.ws.soap.SOAPFaultException ex) {
- String error = "An error was discovered processing the <wsse:Security> header.";
- assertTrue(ex.getMessage().contains(error)
- || ex.getMessage().contains("A replay attack has been detected"));
+ String error = "A replay attack has been detected";
+ assertTrue(ex.getMessage().contains(error));
}
((java.io.Closeable)saml2Port).close();
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java?rev=1559126&r1=1559125&r2=1559126&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java Fri Jan 17 14:56:09 2014
@@ -369,7 +369,7 @@ public class UsernameTokenTest extends A
utPort.doubleIt(25);
fail("Failure expected on a replayed UsernameToken");
} catch (javax.xml.ws.soap.SOAPFaultException ex) {
- String error = "An error was discovered processing the <wsse:Security> header.";
+ String error = "A replay attack has been detected";
String error2 = "The security token could not be authenticated or authorized";
assertTrue(ex.getMessage().contains(error) || ex.getMessage().contains(error2));
}
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1559126&r1=1559125&r2=1559126&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java Fri Jan 17 14:56:09 2014
@@ -925,7 +925,7 @@ public class X509TokenTest extends Abstr
x509Port.doubleIt(25);
fail("Failure expected on a replayed Timestamp");
} catch (javax.xml.ws.soap.SOAPFaultException ex) {
- String error = "An error was discovered processing the <wsse:Security> header.";
+ String error = "A replay attack has been detected";
assertTrue(ex.getMessage().contains(error)
|| ex.getMessage().contains("The message has expired"));
}