You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/01/17 16:26:47 UTC
svn commit: r1559148 - in /cxf/branches/2.6.x-fixes:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/
Author: coheigea
Date: Fri Jan 17 15:26:47 2014
New Revision: 1559148
URL: http://svn.apache.org/r1559148
Log:
Standardizing security error messages
Conflicts:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JFaultCodeTest.java
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
Conflicts:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
Modified:
cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1559148&r1=1559147&r2=1559148&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Fri Jan 17 15:26:47 2014
@@ -762,11 +762,15 @@ public class WSS4JInInterceptor extends
private SoapFault
createSoapFault(SoapVersion version, WSSecurityException e) {
SoapFault fault;
+ String errorMessage = WSS4JUtils.getSafeExceptionMessage(e);
+ if (errorMessage == null) {
+ errorMessage = e.getMessage();
+ }
javax.xml.namespace.QName faultCode = e.getFaultCode();
if (version.getVersion() == 1.1 && faultCode != null) {
- fault = new SoapFault(e.getMessage(), e, faultCode);
+ fault = new SoapFault(errorMessage, e, faultCode);
} else {
- fault = new SoapFault(e.getMessage(), e, version.getSender());
+ fault = new SoapFault(errorMessage, e, version.getSender());
if (version.getVersion() != 1.1 && faultCode != null) {
fault.setSubCode(faultCode);
}
Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java?rev=1559148&r1=1559147&r2=1559148&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java (original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java Fri Jan 17 15:26:47 2014
@@ -18,11 +18,15 @@
*/
package org.apache.cxf.ws.security.wss4j;
+import javax.xml.namespace.QName;
+
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.service.model.EndpointInfo;
import org.apache.cxf.ws.security.cache.ReplayCacheFactory;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.cache.ReplayCache;
/**
@@ -31,6 +35,22 @@ import org.apache.ws.security.cache.Repl
*/
public final class WSS4JUtils {
+ // FAULT error messages
+ public static final String UNSUPPORTED_TOKEN_ERR = "An unsupported token was provided";
+ public static final String UNSUPPORTED_ALGORITHM_ERR =
+ "An unsupported signature or encryption algorithm was used";
+ public static final String INVALID_SECURITY_ERR =
+ "An error was discovered processing the <wsse:Security> header.";
+ public static final String INVALID_SECURITY_TOKEN_ERR =
+ "An invalid security token was provided";
+ public static final String FAILED_AUTHENTICATION_ERR =
+ "The security token could not be authenticated or authorized";
+ public static final String FAILED_CHECK_ERR = "The signature or decryption was invalid";
+ public static final String SECURITY_TOKEN_UNAVAILABLE_ERR =
+ "Referenced security token could not be retrieved";
+ public static final String MESSAGE_EXPIRED_ERR = "The message has expired";
+
+
private WSS4JUtils() {
// complete
}
@@ -85,5 +105,37 @@ public final class WSS4JUtils {
return null;
}
-
+ /**
+ * Map a WSSecurityException FaultCode to a standard error String, so as not to leak
+ * internal configuration to an attacker.
+ */
+ public static String getSafeExceptionMessage(WSSecurityException ex) {
+ // Allow a Replay Attack message to be returned, otherwise it could be confusing
+ // for clients who don't understand the default caching functionality of WSS4J/CXF
+ if (ex.getMessage() != null && ex.getMessage().contains("replay attack")) {
+ return ex.getMessage();
+ }
+
+ String errorMessage = null;
+ QName faultCode = ex.getFaultCode();
+ if (WSConstants.UNSUPPORTED_SECURITY_TOKEN.equals(faultCode)) {
+ errorMessage = UNSUPPORTED_TOKEN_ERR;
+ } else if (WSConstants.UNSUPPORTED_ALGORITHM.equals(faultCode)) {
+ errorMessage = UNSUPPORTED_ALGORITHM_ERR;
+ } else if (WSConstants.INVALID_SECURITY.equals(faultCode)) {
+ errorMessage = INVALID_SECURITY_ERR;
+ } else if (WSConstants.INVALID_SECURITY_TOKEN.equals(faultCode)) {
+ errorMessage = INVALID_SECURITY_TOKEN_ERR;
+ } else if (WSConstants.FAILED_AUTHENTICATION.equals(faultCode)) {
+ errorMessage = FAILED_AUTHENTICATION_ERR;
+ } else if (WSConstants.FAILED_CHECK.equals(faultCode)) {
+ errorMessage = FAILED_CHECK_ERR;
+ } else if (WSConstants.SECURITY_TOKEN_UNAVAILABLE.equals(faultCode)) {
+ errorMessage = SECURITY_TOKEN_UNAVAILABLE_ERR;
+ } else if (WSConstants.MESSAGE_EXPIRED.equals(faultCode)) {
+ errorMessage = MESSAGE_EXPIRED_ERR;
+ }
+ return errorMessage;
+
+ }
}
Modified: cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=1559148&r1=1559147&r2=1559148&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java (original)
+++ cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java Fri Jan 17 15:26:47 2014
@@ -609,7 +609,9 @@ public class SecurityPolicyTest extends
// Different errors using different JDKs...
assertTrue(errorMessage.contains("Certificate has been revoked")
|| errorMessage.contains("Certificate revocation")
- || errorMessage.contains("Error during certificate path validation"));
+ || errorMessage.contains("Error during certificate path validation")
+ || errorMessage.contains(
+ "The security token could not be authenticated or authorized"));
}
((java.io.Closeable)pt).close();