On Mar 30, 2013, at 7:48 AM, Andrei Shakirin <[email protected]> wrote:
> Hi Ychawla, > > Would you like to create patch regarding detailed logging and response > yourself? Actually, I did make some minor changes to this for 2.7.4 (voting now). It's not really much of a security issue as this is on the OUT interceptor chain. Thus, one of two things will happen: 1) Client side - exception propagated up to the caller. This is likely what we want no matter what the scenario. 2) Server side - if the SAAJ model cannot be written to the stream, likely nothing can and there isn't a way to get a fault back to the client anyway. Thus, the exception would get logged in the log and that's it. In a Camel route, the exception #1 may be propagated back to the client via an exception or something, but that will be a Camel issue. Any of the variety of exceptions that could occur on the client side would need to be filtered in that case anyway. Dan > > Cheers, > Andrei. > >> -----Original Message----- >> From: Andrei Shakirin [mailto:[email protected]] >> Sent: Donnerstag, 28. März 2013 10:49 >> To: [email protected] >> Cc: [email protected] >> Subject: RE: Problem writing SAAJ model to stream >> >> Hi, >> >> It can be potentially a security issue, when client receives detailed error >> message about service truststore. >> From my perspective it makes sense to LOG detailed message locally. >> We can also make remote response more descriptive, but not expose much >> sensitive details for the client. >> >> Regards, >> Andrei. >> >>> -----Original Message----- >>> From: ychawla [mailto:[email protected]] >>> Sent: Mittwoch, 27. März 2013 17:07 >>> To: [email protected] >>> Subject: Problem writing SAAJ model to stream >>> >>> Hello All, >>> I was getting the error: "Problem writing SAAJ model to stream". This >>> error isn't very descriptive and I had to dig a little to find the root >>> cause. >>> There was a similar issue here for Connection Refused: >>> >>> https://issues.apache.org/jira/browse/CXF-3872 >>> >>> To find the root cause of my error, I downloaded the CXF source and >>> then added some debug statements to the SAAJOutInterceptor: >>> >>> try { >>> if (writer != null) { >>> StaxUtils.copy(new >>> W3CDOMStreamReader(soapMessage.getSOAPPart()), writer); >>> writer.flush(); >>> message.setContent(XMLStreamWriter.class, writer); >>> } >>> } catch (XMLStreamException e) { >>> if (e.getCause() instanceof ConnectException) { >>> throw new SoapFault(e.getCause().getMessage(), >>> e, >>> >>> message.getVersion().getSender()); >>> } else { >>> * e.printStackTrace(); >>> System.out.println(e.getCause().getClass()); * >>> throw new SoapFault(new >>> Message("SOAPEXCEPTION", BUNDLE), e, >>> >>> message.getVersion().getSender()); >>> } >>> >>> I realize that printing the stack track is not the most graceful way >>> to get at the error which in my case happened to be a truststore/SSL >>> issue. Is there a way to provide a better error message than "Problem >> writing SAAJ >>> model to stream"? Maybe it is sufficient to just use >>> e.getCause().getMessage() in all cases? >>> >>> Thanks, >>> Yogesh >>> >>> >>> >>> -- >>> View this message in context: http://cxf.547215.n5.nabble.com/Problem- >>> writing-SAAJ-model-to-stream-tp5725406.html >>> Sent from the cxf-user mailing list archive at Nabble.com. -- Daniel Kulp [email protected] - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
