Are you attaching security policies to the wsdl:fault part of your security binding? If policies are only attached to the wsdl:input/output, then the SOAP Faults won't be secured. Here is an example:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/fault/DoubleItFault.wsdl;h=2e388f57657c88339659e1555e5cf5c439a691ce;hb=HEAD Colm. On Fri, Nov 27, 2015 at 8:12 AM, Alexandros Trifyllis <[email protected] > wrote: > Further into debugging, I notice that in class AbstractPolicyInterceptor > line 69 (version 2.7.13): > > if (faultClass != null && faultClass.isAssignableFrom(cause.getClass())) { > > the "faultClass" can never be "assignableFrom" the "cause". > > The "faultClass" is a custom class of mine which extends Exception. The > "cause" in the case of schema validation > is javax.xml.bind.UnmarshalException which also extends Exception. > > In that case, one is not assignable from the other. > > This failed check results in the framework not adding crucial interceptors > in the chain, like PolicyBasedWSS4JOutInterceptor etc. > > On Thu, Nov 26, 2015 at 2:59 PM, Alexandros Trifyllis < > [email protected] > > wrote: > > > I have a wsdl with security policy for signing messages. In my endpoint I > > have the annotation @SchemaValidation. When a validation throws a > SoapFault > > the message (with the SoapFault) is not signed. Running CXF in debug > mode I > > see that the interceptor chain used is different compared to the chain > when > > no fault occurs. This is normal but what does not seem normal is that the > > fault chain does not conatin interceptors > > like: PolicyBasedWSS4JOutInterceptor, UsernameTokenInterceptor which are > > required for the message to be signed. Here is the chain when no fault > > occurs: > > > > 14:14:56,310 FINE [org.apache.cxf.phase.PhaseInterceptorChain] (default > > task-4) Chain org.apache.cxf.phase.PhaseInterceptorChain@5a2ad9f8 was > > modified. Current flow: > > setup [ServerPolicyOutFaultInterceptor] > > pre-logical [MAPAggregatorImpl, SoapHeaderOutFilterInterceptor, > > SecurityVerificationOutInterceptor] > > prepare-send [MessageSenderInterceptor, GenericSecurityOutInterceptor, > > Soap12FaultOutInterceptor] > > pre-stream [LoggingOutInterceptor, CustomizeLoggingOutInterceptor, > > StaxOutInterceptor] > > pre-protocol [WebFaultOutInterceptor, MAPCodec, > > PolicyBasedWSS4JOutInterceptor, UsernameTokenInterceptor] > > write [SoapOutInterceptor] > > marshal [Soap12FaultOutInterceptorInternal] > > post-protocol [PolicyBasedWSS4JOutInterceptorInternal] > > write-ending [SoapOutEndingInterceptor] > > pre-protocol-ending [SAAJOutEndingInterceptor] > > pre-stream-ending [StaxOutEndingInterceptor] > > prepare-send-ending [MessageSenderEndingInterceptor] > > > > > > and when fault occurs: > > > > 12:55:34,500 FINE [org.apache.cxf.phase.PhaseInterceptorChain] (default > > task-3) Chain org.apache.cxf.phase.PhaseInterceptorChain@30f5696 was > > created. Current flow: > > setup [ServerPolicyOutFaultInterceptor] > > pre-logical [SoapHeaderOutFilterInterceptor] > > prepare-send [MessageSenderInterceptor, GenericSecurityOutInterceptor, > > Soap12FaultOutInterceptor] > > pre-stream [LoggingOutInterceptor, CustomizeLoggingOutInterceptor, > > StaxOutInterceptor] > > pre-protocol [WebFaultOutInterceptor] > > write [SoapOutInterceptor] > > > > > > Am I missing some configuration? > > > > Thank you in advance > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
