You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Oliver Wulff <ow...@wowit.ch> on 2022/01/03 15:24:33 UTC

AbstractAuthorizingInInterceptor doesn't return standard WS-Security SOAP fault

Hi all

I do some basic authorization checks within my JAX-WS implementation code and was wondering how to return a standard SOAP fault according to the WS-Security spec here:
Web Services Security: SOAP Message Security Version 1.1.1 (oasis-open.org)<http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SOAPMessageSecurity-v1.1.1-os.html#_Toc307407975>

If there is an authorization error, I should return the fault code wsse:FailedAuthentication.

I followed the same approach as within the AbstractAuthorizingInInterceptor which simply throws an AccessDeniedException:
cxf/AbstractAuthorizingInInterceptor.java at master · apache/cxf · GitHub<https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java>

which results in the following soap fault which looks like any other default soap fault:

   <soap:Body>
      <soap:Fault>
         <soap:Code>
            <soap:Value>soap:Receiver</soap:Value>
         </soap:Code>
         <soap:Reason>
            <soap:Text xml:lang="en">Unauthorized</soap:Text>
         </soap:Reason>
      </soap:Fault>
   </soap:Body>


I’ve found the QName definition in WSSecurityException but I can’t easily throw a WSSecurityException because it’s not a RuntimeException.

So, the only approach which worked is this:
        throw new SoapFault("Unauthorized", new QName(http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd, "FailedAuthentication"));

Then I get this soap fault back:

   <soap:Body>
      <soap:Fault>
         <soap:Code>
            <soap:Value>soap:Receiver</soap:Value>
            <soap:Subcode>
               <soap:Value xmlns:ns1=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>ns1:FailedAuthentication</soap:Value>
            </soap:Subcode>
         </soap:Code>
         <soap:Reason>
            <soap:Text xml:lang="en">Unauthorized</soap:Text>
         </soap:Reason>
      </soap:Fault>
   </soap:Body>

Is there a reason why an AccessDeniedException doesn’t return a standard WS-Security SOAP Fault?

Thanks for your feedback.

Cheers
Oli


Gesendet von Mail<https://go.microsoft.com/fwlink/?LinkId=550986> für Windows

Re: AbstractAuthorizingInInterceptor doesn't return standard WS-Security SOAP fault

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi Oli,

I guess it's because
https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
is in CXF core, and so isn't tied to the SOAP stack. Could we make it
configurable to translate the AccessDeniedException into a WS-Security
SOAP fault?

Colm.

On Mon, Jan 3, 2022 at 3:24 PM Oliver Wulff <ow...@wowit.ch> wrote:
>
> Hi all
>
> I do some basic authorization checks within my JAX-WS implementation code and was wondering how to return a standard SOAP fault according to the WS-Security spec here:
> Web Services Security: SOAP Message Security Version 1.1.1 (oasis-open.org)<http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SOAPMessageSecurity-v1.1.1-os.html#_Toc307407975>
>
> If there is an authorization error, I should return the fault code wsse:FailedAuthentication.
>
> I followed the same approach as within the AbstractAuthorizingInInterceptor which simply throws an AccessDeniedException:
> cxf/AbstractAuthorizingInInterceptor.java at master · apache/cxf · GitHub<https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java>
>
> which results in the following soap fault which looks like any other default soap fault:
>
>    <soap:Body>
>       <soap:Fault>
>          <soap:Code>
>             <soap:Value>soap:Receiver</soap:Value>
>          </soap:Code>
>          <soap:Reason>
>             <soap:Text xml:lang="en">Unauthorized</soap:Text>
>          </soap:Reason>
>       </soap:Fault>
>    </soap:Body>
>
>
> I’ve found the QName definition in WSSecurityException but I can’t easily throw a WSSecurityException because it’s not a RuntimeException.
>
> So, the only approach which worked is this:
>         throw new SoapFault("Unauthorized", new QName(http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd, "FailedAuthentication"));
>
> Then I get this soap fault back:
>
>    <soap:Body>
>       <soap:Fault>
>          <soap:Code>
>             <soap:Value>soap:Receiver</soap:Value>
>             <soap:Subcode>
>                <soap:Value xmlns:ns1=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>ns1:FailedAuthentication</soap:Value>
>             </soap:Subcode>
>          </soap:Code>
>          <soap:Reason>
>             <soap:Text xml:lang="en">Unauthorized</soap:Text>
>          </soap:Reason>
>       </soap:Fault>
>    </soap:Body>
>
> Is there a reason why an AccessDeniedException doesn’t return a standard WS-Security SOAP Fault?
>
> Thanks for your feedback.
>
> Cheers
> Oli
>
>
> Gesendet von Mail<https://go.microsoft.com/fwlink/?LinkId=550986> für Windows
>