Re: [Dev] [IDENTITY-3355] Better if only warning is shown for signature verification failures

Fri, 28 Jul 2017 01:02:09 -0700 

Hi Sugirjan,

+1 for the warning message without printing the exception trace. We
can add exception
trace as a debug log.

Thanks
Isura.

On Thu, Jul 20, 2017 at 6:47 PM, Sugirjan Ragunaathan <[email protected]>
wrote:

> Hi,
>
> I'm working on the WSO2 public JIRA issue $subject [1].
>
> In the Source code [2], when the SAML2 signature is validated and if
> validation exception is catched, then the exception is logged as well as
> debug message.
>
> } catch (ValidationException e) {
>     if (log.isDebugEnabled()) {
>         log.debug("SAML Signature validation failed from domain : " + 
> domainName, e);
>     }
> }
>
>
> In the Source code [3],  if validation exception is catched, then the
> exception is logged as a warning message not as a debug message.
>
> } catch (IdentitySAML2SSOException e) {
>     log.warn("Signature validation failed for the SAML Message : Failed to 
> construct the X509CredentialImpl for the alias " +
>             alias, e);
>     return false;
> }
>
> What is the best implementation way for handling this exception?
>
> [1]Better if only warning is shown for signature verification failures
> (not the whole exception) <https://wso2.org/jira/browse/IDENTITY-3355>
>
> [2]https://github.com/wso2-extensions/identity-carbon-
> auth-saml2/blob/v5.2.3/components/org.wso2.carbon.
> identity.authenticator.saml2.sso/src/main/java/org/wso2/
> carbon/identity/authenticator/saml2/sso/SAML2SSOAuthenticator.java#L509
>
> [3]https://github.com/wso2-extensions/identity-inbound-
> auth-saml/blob/v5.3.0/components/org.wso2.carbon.
> identity.sso.saml/src/main/java/org/wso2/carbon/identity/
> sso/saml/util/SAMLSSOUtil.java#L882
>
> Thanks.
>
> Regards,
> *R. Sugirjan*
> Software Engineering - Intern | WSO2
>
> Email:  [email protected]
> Mobile: +94768489892 <+94%2076%20848%209892>
> <http://wso2.com/signature>
>



-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: [email protected]
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/

_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to