I wouldn't have thought the basic WSSecurityException would have been that sensitive but I haven't thought it through too much.
As an example if the username/password is wrong, I'd rather tell the user their user/password is wrong and or their session has timed out rather than telling the user "an error occurred on the server". Also, conversely if any other type of exception occurrs on the server (not sure what other off hand, just making this up) like a NullPointerException, it might mean there's just bad data on my server and there's no need to make the client re-login due to invalid user/password or timed out session etc... On 1/31/14, Colm O hEigeartaigh <[email protected]> wrote: > There is no way of returning the actual underlying exception to the client, > as this could leak sensitive information to an attacker. Why do you need to > differentiate between different exception types on the client end? > > Colm. > > > On Thu, Jan 30, 2014 at 7:16 PM, Ted <[email protected]> wrote: > >> Hi I'm on cxf 2.7.4, >> >> On the server, in the UsernameTokenValidator.verifyPlaintextPassword(), >> if the user/password is invalid I'm throwing a >> new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION). >> >> The problem is on the client side, all I'm getting is : >> javax.xml.ws.soap.SOAPFaultException: The security token could not >> be authenticated or authorized >> ... >> Caused by: org.apache.cxf.binding.soap.SoapFault: The security token >> could >> not be authenticated or authorized >> >> So I can see the logic is all working properly, however, on the client >> side, >> short of parsing some random text "could not be authenticated" and >> hoping it doesn't change, there's no way for me to determine that it >> was a failed authentication v.s. any other soap fault. >> >> i.e. on the client side I want to od (but can't do) "catch >> (WSSecurityException e)". >> >> Does anyone know if there's a configuration or something I can change >> so the exception makes it over to the client side so I can properly >> determine that it was actually security exception? >> -- >> Ted. >> > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Ted.
