I've created a new JIRA (https://issues.apache.org/jira/browse/CXF-5540) to be fixed for CXF 3.0.0. There is a new security property ("ws-security.return.security.error") which defaults to false, which will return the underlying error message if set to true.
Colm. On Fri, Jan 31, 2014 at 6:06 PM, Ted <[email protected]> wrote: > I wouldn't have thought the basic WSSecurityException would have been > that sensitive but I haven't thought it through too much. > > As an example if the username/password is wrong, I'd rather tell the > user their user/password is wrong and or their session has timed out > rather than telling the user "an error occurred on the server". > > Also, conversely if any other type of exception occurrs on the server > (not sure what other off hand, just making this up) like a > NullPointerException, it might mean there's just bad data on my server > and there's no need to make the client re-login due to invalid > user/password or timed out session etc... > > > > On 1/31/14, Colm O hEigeartaigh <[email protected]> wrote: > > There is no way of returning the actual underlying exception to the > client, > > as this could leak sensitive information to an attacker. Why do you need > to > > differentiate between different exception types on the client end? > > > > Colm. > > > > > > On Thu, Jan 30, 2014 at 7:16 PM, Ted <[email protected]> wrote: > > > >> Hi I'm on cxf 2.7.4, > >> > >> On the server, in the UsernameTokenValidator.verifyPlaintextPassword(), > >> if the user/password is invalid I'm throwing a > >> new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION). > >> > >> The problem is on the client side, all I'm getting is : > >> javax.xml.ws.soap.SOAPFaultException: The security token could not > >> be authenticated or authorized > >> ... > >> Caused by: org.apache.cxf.binding.soap.SoapFault: The security token > >> could > >> not be authenticated or authorized > >> > >> So I can see the logic is all working properly, however, on the client > >> side, > >> short of parsing some random text "could not be authenticated" and > >> hoping it doesn't change, there's no way for me to determine that it > >> was a failed authentication v.s. any other soap fault. > >> > >> i.e. on the client side I want to od (but can't do) "catch > >> (WSSecurityException e)". > >> > >> Does anyone know if there's a configuration or something I can change > >> so the exception makes it over to the client side so I can properly > >> determine that it was actually security exception? > >> -- > >> Ted. > >> > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > -- > Ted. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
