Re: [Dev] [IDENTITY-3355] Better if only warning is shown for signature verification failures

Rushmin Fernando Fri, 28 Jul 2017 01:11:30 -0700

+1 for using warning message without the stack trace. But we have to add as
much as context info to the log so that the life will be easier when coming
to support front.


On Fri, Jul 28, 2017 at 1:30 PM, Isura Karunaratne <is...@wso2.com> wrote:

> Hi Sugirjan,
>
> +1 for the warning message without printing the exception trace. We can
> add exception trace as a debug log.
>
> Thanks
> Isura.
>
> On Thu, Jul 20, 2017 at 6:47 PM, Sugirjan Ragunaathan <sugir...@wso2.com>
> wrote:
>
>> Hi,
>>
>> I'm working on the WSO2 public JIRA issue $subject [1].
>>
>> In the Source code [2], when the SAML2 signature is validated and if
>> validation exception is catched, then the exception is logged as well as
>> debug message.
>>
>> } catch (ValidationException e) {
>>     if (log.isDebugEnabled()) {
>>         log.debug("SAML Signature validation failed from domain : " + 
>> domainName, e);
>>     }
>> }
>>
>>
>> In the Source code [3],  if validation exception is catched, then the
>> exception is logged as a warning message not as a debug message.
>>
>> } catch (IdentitySAML2SSOException e) {
>>     log.warn("Signature validation failed for the SAML Message : Failed to 
>> construct the X509CredentialImpl for the alias " +
>>             alias, e);
>>     return false;
>> }
>>
>> What is the best implementation way for handling this exception?
>>
>> [1]Better if only warning is shown for signature verification failures
>> (not the whole exception) <https://wso2.org/jira/browse/IDENTITY-3355>
>>
>> [2]https://github.com/wso2-extensions/identity-carbon-auth-
>> saml2/blob/v5.2.3/components/org.wso2.carbon.identity.
>> authenticator.saml2.sso/src/main/java/org/wso2/carbon/
>> identity/authenticator/saml2/sso/SAML2SSOAuthenticator.java#L509
>>
>> [3]https://github.com/wso2-extensions/identity-inbound-auth-
>> saml/blob/v5.3.0/components/org.wso2.carbon.identity.sso.
>> saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/
>> SAMLSSOUtil.java#L882
>>
>> Thanks.
>>
>> Regards,
>> *R. Sugirjan*
>> Software Engineering - Intern | WSO2
>>
>> Email:  sugir...@wso2.com
>> Mobile: +94768489892 <+94%2076%20848%209892>
>> <http://wso2.com/signature>
>>
>
>
>
> --
>
> *Isura Dilhara Karunaratne*
> Senior Software Engineer | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810 <+94%2077%20225%204810>
> Blog : http://isurad.blogspot.com/
>
>
>
>


-- 
*Best Regards*

*Rushmin Fernando*
*Technical Lead*

WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware

mobile : +94775615183

_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IDENTITY-3355] Better if only warning is shown for signature verification failures

Reply via email to