You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Andrei Shakirin <as...@talend.com> on 2014/02/04 09:50:16 UTC
RE: WSSecurityException turns into generic SOAPFaultException on
client side
Hi,
Is the problem recognizing of security relevant SOAP fault on the client side, correct?
If it is so, you can try to resolve this particular case using custom interceptor.
Regards,
Andrei.
> -----Original Message-----
> From: Ted [mailto:r6squeegee@gmail.com]
> Sent: Freitag, 31. Januar 2014 19:07
> To: users@cxf.apache.org; coheigea@apache.org
> Subject: Re: WSSecurityException turns into generic SOAPFaultException on
> client side
>
> I wouldn't have thought the basic WSSecurityException would have been
> that sensitive but I haven't thought it through too much.
>
> As an example if the username/password is wrong, I'd rather tell the user
> their user/password is wrong and or their session has timed out rather than
> telling the user "an error occurred on the server".
>
> Also, conversely if any other type of exception occurrs on the server (not
> sure what other off hand, just making this up) like a NullPointerException, it
> might mean there's just bad data on my server and there's no need to make
> the client re-login due to invalid user/password or timed out session etc...
>
>
>
> On 1/31/14, Colm O hEigeartaigh <co...@apache.org> wrote:
> > There is no way of returning the actual underlying exception to the
> > client, as this could leak sensitive information to an attacker. Why
> > do you need to differentiate between different exception types on the
> client end?
> >
> > Colm.
> >
> >
> > On Thu, Jan 30, 2014 at 7:16 PM, Ted <r6...@gmail.com> wrote:
> >
> >> Hi I'm on cxf 2.7.4,
> >>
> >> On the server, in the
> >> UsernameTokenValidator.verifyPlaintextPassword(),
> >> if the user/password is invalid I'm throwing a
> >> new
> WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION).
> >>
> >> The problem is on the client side, all I'm getting is :
> >> javax.xml.ws.soap.SOAPFaultException: The security token could not
> >> be authenticated or authorized
> >> ...
> >> Caused by: org.apache.cxf.binding.soap.SoapFault: The security
> >> token could
> >> not be authenticated or authorized
> >>
> >> So I can see the logic is all working properly, however, on the
> >> client side, short of parsing some random text "could not be
> >> authenticated" and hoping it doesn't change, there's no way for me to
> >> determine that it was a failed authentication v.s. any other soap
> >> fault.
> >>
> >> i.e. on the client side I want to od (but can't do) "catch
> >> (WSSecurityException e)".
> >>
> >> Does anyone know if there's a configuration or something I can change
> >> so the exception makes it over to the client side so I can properly
> >> determine that it was actually security exception?
> >> --
> >> Ted.
> >>
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
> --
> Ted.