You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Oliver Wulff <ow...@wowit.ch> on 2022/01/03 15:24:33 UTC
AbstractAuthorizingInInterceptor doesn't return standard WS-Security SOAP fault
Hi all
I do some basic authorization checks within my JAX-WS implementation code and was wondering how to return a standard SOAP fault according to the WS-Security spec here:
Web Services Security: SOAP Message Security Version 1.1.1 (oasis-open.org)<http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SOAPMessageSecurity-v1.1.1-os.html#_Toc307407975>
If there is an authorization error, I should return the fault code wsse:FailedAuthentication.
I followed the same approach as within the AbstractAuthorizingInInterceptor which simply throws an AccessDeniedException:
cxf/AbstractAuthorizingInInterceptor.java at master · apache/cxf · GitHub<https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java>
which results in the following soap fault which looks like any other default soap fault:
<soap:Body>
<soap:Fault>
<soap:Code>
<soap:Value>soap:Receiver</soap:Value>
</soap:Code>
<soap:Reason>
<soap:Text xml:lang="en">Unauthorized</soap:Text>
</soap:Reason>
</soap:Fault>
</soap:Body>
I’ve found the QName definition in WSSecurityException but I can’t easily throw a WSSecurityException because it’s not a RuntimeException.
So, the only approach which worked is this:
throw new SoapFault("Unauthorized", new QName(http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd, "FailedAuthentication"));
Then I get this soap fault back:
<soap:Body>
<soap:Fault>
<soap:Code>
<soap:Value>soap:Receiver</soap:Value>
<soap:Subcode>
<soap:Value xmlns:ns1=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>ns1:FailedAuthentication</soap:Value>
</soap:Subcode>
</soap:Code>
<soap:Reason>
<soap:Text xml:lang="en">Unauthorized</soap:Text>
</soap:Reason>
</soap:Fault>
</soap:Body>
Is there a reason why an AccessDeniedException doesn’t return a standard WS-Security SOAP Fault?
Thanks for your feedback.
Cheers
Oli
Gesendet von Mail<https://go.microsoft.com/fwlink/?LinkId=550986> für Windows
Re: AbstractAuthorizingInInterceptor doesn't return standard WS-Security SOAP fault
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Oli,
I guess it's because
https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
is in CXF core, and so isn't tied to the SOAP stack. Could we make it
configurable to translate the AccessDeniedException into a WS-Security
SOAP fault?
Colm.
On Mon, Jan 3, 2022 at 3:24 PM Oliver Wulff <ow...@wowit.ch> wrote:
>
> Hi all
>
> I do some basic authorization checks within my JAX-WS implementation code and was wondering how to return a standard SOAP fault according to the WS-Security spec here:
> Web Services Security: SOAP Message Security Version 1.1.1 (oasis-open.org)<http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SOAPMessageSecurity-v1.1.1-os.html#_Toc307407975>
>
> If there is an authorization error, I should return the fault code wsse:FailedAuthentication.
>
> I followed the same approach as within the AbstractAuthorizingInInterceptor which simply throws an AccessDeniedException:
> cxf/AbstractAuthorizingInInterceptor.java at master · apache/cxf · GitHub<https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java>
>
> which results in the following soap fault which looks like any other default soap fault:
>
> <soap:Body>
> <soap:Fault>
> <soap:Code>
> <soap:Value>soap:Receiver</soap:Value>
> </soap:Code>
> <soap:Reason>
> <soap:Text xml:lang="en">Unauthorized</soap:Text>
> </soap:Reason>
> </soap:Fault>
> </soap:Body>
>
>
> I’ve found the QName definition in WSSecurityException but I can’t easily throw a WSSecurityException because it’s not a RuntimeException.
>
> So, the only approach which worked is this:
> throw new SoapFault("Unauthorized", new QName(http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd, "FailedAuthentication"));
>
> Then I get this soap fault back:
>
> <soap:Body>
> <soap:Fault>
> <soap:Code>
> <soap:Value>soap:Receiver</soap:Value>
> <soap:Subcode>
> <soap:Value xmlns:ns1=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>ns1:FailedAuthentication</soap:Value>
> </soap:Subcode>
> </soap:Code>
> <soap:Reason>
> <soap:Text xml:lang="en">Unauthorized</soap:Text>
> </soap:Reason>
> </soap:Fault>
> </soap:Body>
>
> Is there a reason why an AccessDeniedException doesn’t return a standard WS-Security SOAP Fault?
>
> Thanks for your feedback.
>
> Cheers
> Oli
>
>
> Gesendet von Mail<https://go.microsoft.com/fwlink/?LinkId=550986> für Windows
>