You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Aleksander Adamowski (JIRA)" <ji...@apache.org> on 2009/05/27 17:44:45 UTC
[jira] Created: (WSS-195) More detailed exception thrown from
CryptoBase.getPrivateKey()
More detailed exception thrown from CryptoBase.getPrivateKey()
--------------------------------------------------------------
Key: WSS-195
URL: https://issues.apache.org/jira/browse/WSS-195
Project: WSS4J
Issue Type: Improvement
Components: WSS4J Core
Affects Versions: 1.5.8
Reporter: Aleksander Adamowski
Assignee: Ruchith Udayanga Fernando
Having a problem with getting a key from one of keystores used by a web service client, I've patched and build my own version of WSS4J that adds keystore-identifying information to the exception thrown from CryptoBase.getPrivateKey() instead of only the looked up alias.
This way, I were able to identify the particular keystore the application was looking for key in.
I'm attaching my patch.
Note that similar improvements should probably be made to other methods in CryptoBase.
The exceptions currently thrown by CryptoBase only specify the alias which was looked up in a keystore. They may not be not sufficient in a complex set up with multiple keystores because they give no hint whatsover about what kind of keystore with what contents was the search performed in.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-195) More detailed exception thrown from
CryptoBase.getPrivateKey()
Posted by "Aleksander Adamowski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aleksander Adamowski updated WSS-195:
-------------------------------------
Attachment: wss4j-CryptoBase_better_exception.patch
The patch to add more details to the Exception thrown from org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(String, String).
> More detailed exception thrown from CryptoBase.getPrivateKey()
> --------------------------------------------------------------
>
> Key: WSS-195
> URL: https://issues.apache.org/jira/browse/WSS-195
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Aleksander Adamowski
> Assignee: Ruchith Udayanga Fernando
> Attachments: wss4j-CryptoBase_better_exception.patch
>
>
> Having a problem with getting a key from one of keystores used by a web service client, I've patched and build my own version of WSS4J that adds keystore-identifying information to the exception thrown from CryptoBase.getPrivateKey() instead of only the looked up alias.
> This way, I were able to identify the particular keystore the application was looking for key in.
> I'm attaching my patch.
> Note that similar improvements should probably be made to other methods in CryptoBase.
> The exceptions currently thrown by CryptoBase only specify the alias which was looked up in a keystore. They may not be not sufficient in a complex set up with multiple keystores because they give no hint whatsover about what kind of keystore with what contents was the search performed in.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Assigned: (WSS-195) More detailed exception thrown from
CryptoBase.getPrivateKey()
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh reassigned WSS-195:
---------------------------------------
Assignee: Colm O hEigeartaigh (was: Ruchith Udayanga Fernando)
> More detailed exception thrown from CryptoBase.getPrivateKey()
> --------------------------------------------------------------
>
> Key: WSS-195
> URL: https://issues.apache.org/jira/browse/WSS-195
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.7
> Reporter: Aleksander Adamowski
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j-CryptoBase_better_exception.patch
>
>
> Having a problem with getting a key from one of keystores used by a web service client, I've patched and build my own version of WSS4J that adds keystore-identifying information to the exception thrown from CryptoBase.getPrivateKey() instead of only the looked up alias.
> This way, I were able to identify the particular keystore the application was looking for key in.
> I'm attaching my patch.
> Note that similar improvements should probably be made to other methods in CryptoBase.
> The exceptions currently thrown by CryptoBase only specify the alias which was looked up in a keystore. They may not be not sufficient in a complex set up with multiple keystores because they give no hint whatsover about what kind of keystore with what contents was the search performed in.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Resolved: (WSS-195) More detailed exception thrown from
CryptoBase.getPrivateKey()
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved WSS-195.
-------------------------------------
Resolution: Fixed
> More detailed exception thrown from CryptoBase.getPrivateKey()
> --------------------------------------------------------------
>
> Key: WSS-195
> URL: https://issues.apache.org/jira/browse/WSS-195
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.7
> Reporter: Aleksander Adamowski
> Assignee: Colm O hEigeartaigh
> Priority: Minor
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j-CryptoBase_better_exception.patch
>
>
> Having a problem with getting a key from one of keystores used by a web service client, I've patched and build my own version of WSS4J that adds keystore-identifying information to the exception thrown from CryptoBase.getPrivateKey() instead of only the looked up alias.
> This way, I were able to identify the particular keystore the application was looking for key in.
> I'm attaching my patch.
> Note that similar improvements should probably be made to other methods in CryptoBase.
> The exceptions currently thrown by CryptoBase only specify the alias which was looked up in a keystore. They may not be not sufficient in a complex set up with multiple keystores because they give no hint whatsover about what kind of keystore with what contents was the search performed in.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Closed: (WSS-195) More detailed exception thrown from
CryptoBase.getPrivateKey()
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed WSS-195.
-----------------------------------
> More detailed exception thrown from CryptoBase.getPrivateKey()
> --------------------------------------------------------------
>
> Key: WSS-195
> URL: https://issues.apache.org/jira/browse/WSS-195
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.7
> Reporter: Aleksander Adamowski
> Assignee: Colm O hEigeartaigh
> Priority: Minor
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j-CryptoBase_better_exception.patch
>
>
> Having a problem with getting a key from one of keystores used by a web service client, I've patched and build my own version of WSS4J that adds keystore-identifying information to the exception thrown from CryptoBase.getPrivateKey() instead of only the looked up alias.
> This way, I were able to identify the particular keystore the application was looking for key in.
> I'm attaching my patch.
> Note that similar improvements should probably be made to other methods in CryptoBase.
> The exceptions currently thrown by CryptoBase only specify the alias which was looked up in a keystore. They may not be not sufficient in a complex set up with multiple keystores because they give no hint whatsover about what kind of keystore with what contents was the search performed in.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-195) More detailed exception thrown from
CryptoBase.getPrivateKey()
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12713945#action_12713945 ]
Colm O hEigeartaigh commented on WSS-195:
-----------------------------------------
Hi Aleksander,
Thanks for your patch. IMO adding such information to an exception is a security hole, as you're potentially leaking sensitive information about the keystore contents. How about we just log the information and throw the original generic exception message?
Colm.
> More detailed exception thrown from CryptoBase.getPrivateKey()
> --------------------------------------------------------------
>
> Key: WSS-195
> URL: https://issues.apache.org/jira/browse/WSS-195
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Aleksander Adamowski
> Assignee: Ruchith Udayanga Fernando
> Attachments: wss4j-CryptoBase_better_exception.patch
>
>
> Having a problem with getting a key from one of keystores used by a web service client, I've patched and build my own version of WSS4J that adds keystore-identifying information to the exception thrown from CryptoBase.getPrivateKey() instead of only the looked up alias.
> This way, I were able to identify the particular keystore the application was looking for key in.
> I'm attaching my patch.
> Note that similar improvements should probably be made to other methods in CryptoBase.
> The exceptions currently thrown by CryptoBase only specify the alias which was looked up in a keystore. They may not be not sufficient in a complex set up with multiple keystores because they give no hint whatsover about what kind of keystore with what contents was the search performed in.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-195) More detailed exception thrown from
CryptoBase.getPrivateKey()
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-195:
------------------------------------
Priority: Minor (was: Major)
> More detailed exception thrown from CryptoBase.getPrivateKey()
> --------------------------------------------------------------
>
> Key: WSS-195
> URL: https://issues.apache.org/jira/browse/WSS-195
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.7
> Reporter: Aleksander Adamowski
> Assignee: Colm O hEigeartaigh
> Priority: Minor
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j-CryptoBase_better_exception.patch
>
>
> Having a problem with getting a key from one of keystores used by a web service client, I've patched and build my own version of WSS4J that adds keystore-identifying information to the exception thrown from CryptoBase.getPrivateKey() instead of only the looked up alias.
> This way, I were able to identify the particular keystore the application was looking for key in.
> I'm attaching my patch.
> Note that similar improvements should probably be made to other methods in CryptoBase.
> The exceptions currently thrown by CryptoBase only specify the alias which was looked up in a keystore. They may not be not sufficient in a complex set up with multiple keystores because they give no hint whatsover about what kind of keystore with what contents was the search performed in.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-195) More detailed exception thrown from
CryptoBase.getPrivateKey()
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-195:
------------------------------------
Affects Version/s: (was: 1.5.8)
1.5.7
Fix Version/s: 1.6
1.5.8
> More detailed exception thrown from CryptoBase.getPrivateKey()
> --------------------------------------------------------------
>
> Key: WSS-195
> URL: https://issues.apache.org/jira/browse/WSS-195
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.7
> Reporter: Aleksander Adamowski
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.8, 1.6
>
> Attachments: wss4j-CryptoBase_better_exception.patch
>
>
> Having a problem with getting a key from one of keystores used by a web service client, I've patched and build my own version of WSS4J that adds keystore-identifying information to the exception thrown from CryptoBase.getPrivateKey() instead of only the looked up alias.
> This way, I were able to identify the particular keystore the application was looking for key in.
> I'm attaching my patch.
> Note that similar improvements should probably be made to other methods in CryptoBase.
> The exceptions currently thrown by CryptoBase only specify the alias which was looked up in a keystore. They may not be not sufficient in a complex set up with multiple keystores because they give no hint whatsover about what kind of keystore with what contents was the search performed in.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-195) More detailed exception thrown from
CryptoBase.getPrivateKey()
Posted by "Aleksander Adamowski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12713953#action_12713953 ]
Aleksander Adamowski commented on WSS-195:
------------------------------------------
Sounds reasonable.
IMHO, the whole idea that server's exceptions or their fragments are sent back to the client in a SOAP fault message is a security hole, but it's really hard to filter them all out depending on what layer they originate from on the server.
For example, in Spring-WS I'm using:
<bean id="exceptionResolver" class="pl.firstdata.keygun.server.webservice.logging.LoggingSoapFaultMappingExceptionResolver">
<property name="defaultFault" value="SERVER,Error processing request. Contact the service administrator and report the exact date and time of failure." />
</bean>
This substitutes a generic error message when the application logic layer throws an exception. However, WSS4J-originated exceptions are still sent out in their full glory. I don't know how to filter these.
So it's a good idea to send the details to the logger only.
> More detailed exception thrown from CryptoBase.getPrivateKey()
> --------------------------------------------------------------
>
> Key: WSS-195
> URL: https://issues.apache.org/jira/browse/WSS-195
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Aleksander Adamowski
> Assignee: Ruchith Udayanga Fernando
> Attachments: wss4j-CryptoBase_better_exception.patch
>
>
> Having a problem with getting a key from one of keystores used by a web service client, I've patched and build my own version of WSS4J that adds keystore-identifying information to the exception thrown from CryptoBase.getPrivateKey() instead of only the looked up alias.
> This way, I were able to identify the particular keystore the application was looking for key in.
> I'm attaching my patch.
> Note that similar improvements should probably be made to other methods in CryptoBase.
> The exceptions currently thrown by CryptoBase only specify the alias which was looked up in a keystore. They may not be not sufficient in a complex set up with multiple keystores because they give no hint whatsover about what kind of keystore with what contents was the search performed in.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org