[ https://issues.apache.org/jira/browse/CXF-3693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved CXF-3693. -------------------------------------- Resolution: Fixed > SecurityTokenServiceProvider does not handle exceptions properly > ---------------------------------------------------------------- > > Key: CXF-3693 > URL: https://issues.apache.org/jira/browse/CXF-3693 > Project: CXF > Issue Type: Bug > Affects Versions: 2.4.1 > Reporter: Colm O hEigeartaigh > Assignee: Colm O hEigeartaigh > Fix For: 2.4.2, 2.5 > > > The SecurityTokenServiceProvider shipped from CXF 2.4 onwards does not handle > exceptions properly. There are three issues: > 1) For an exception thrown in an STS implementation, the provider returns a > reflection error message as the error String. This is because there is no > specific check for an InvocationTargetException. > 2) The exception stacktrace is returned as a Detail, which might reveal > internal information to an attacker > 3) There is no way to send back the WS-Trust standard error code/Strings. > Points 1 and 2 are easily fixed. Point 3 will be fixed by extending the > STSException so that a FaultCode (QName) can be set. If it is set on the > exception, the standard code/String will be returned, otherwise the error > message of the exception will be returned. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira