Hi, Is the problem recognizing of security relevant SOAP fault on the client side, correct? If it is so, you can try to resolve this particular case using custom interceptor.
Regards, Andrei. > -----Original Message----- > From: Ted [mailto:[email protected]] > Sent: Freitag, 31. Januar 2014 19:07 > To: [email protected]; [email protected] > Subject: Re: WSSecurityException turns into generic SOAPFaultException on > client side > > I wouldn't have thought the basic WSSecurityException would have been > that sensitive but I haven't thought it through too much. > > As an example if the username/password is wrong, I'd rather tell the user > their user/password is wrong and or their session has timed out rather than > telling the user "an error occurred on the server". > > Also, conversely if any other type of exception occurrs on the server (not > sure what other off hand, just making this up) like a NullPointerException, it > might mean there's just bad data on my server and there's no need to make > the client re-login due to invalid user/password or timed out session etc... > > > > On 1/31/14, Colm O hEigeartaigh <[email protected]> wrote: > > There is no way of returning the actual underlying exception to the > > client, as this could leak sensitive information to an attacker. Why > > do you need to differentiate between different exception types on the > client end? > > > > Colm. > > > > > > On Thu, Jan 30, 2014 at 7:16 PM, Ted <[email protected]> wrote: > > > >> Hi I'm on cxf 2.7.4, > >> > >> On the server, in the > >> UsernameTokenValidator.verifyPlaintextPassword(), > >> if the user/password is invalid I'm throwing a > >> new > WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION). > >> > >> The problem is on the client side, all I'm getting is : > >> javax.xml.ws.soap.SOAPFaultException: The security token could not > >> be authenticated or authorized > >> ... > >> Caused by: org.apache.cxf.binding.soap.SoapFault: The security > >> token could > >> not be authenticated or authorized > >> > >> So I can see the logic is all working properly, however, on the > >> client side, short of parsing some random text "could not be > >> authenticated" and hoping it doesn't change, there's no way for me to > >> determine that it was a failed authentication v.s. any other soap > >> fault. > >> > >> i.e. on the client side I want to od (but can't do) "catch > >> (WSSecurityException e)". > >> > >> Does anyone know if there's a configuration or something I can change > >> so the exception makes it over to the client side so I can properly > >> determine that it was actually security exception? > >> -- > >> Ted. > >> > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > -- > Ted.
