Hi Oli, I guess it's because https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java is in CXF core, and so isn't tied to the SOAP stack. Could we make it configurable to translate the AccessDeniedException into a WS-Security SOAP fault?
Colm. On Mon, Jan 3, 2022 at 3:24 PM Oliver Wulff <owu...@wowit.ch> wrote: > > Hi all > > I do some basic authorization checks within my JAX-WS implementation code and > was wondering how to return a standard SOAP fault according to the > WS-Security spec here: > Web Services Security: SOAP Message Security Version 1.1.1 > (oasis-open.org)<http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SOAPMessageSecurity-v1.1.1-os.html#_Toc307407975> > > If there is an authorization error, I should return the fault code > wsse:FailedAuthentication. > > I followed the same approach as within the AbstractAuthorizingInInterceptor > which simply throws an AccessDeniedException: > cxf/AbstractAuthorizingInInterceptor.java at master · apache/cxf · > GitHub<https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java> > > which results in the following soap fault which looks like any other default > soap fault: > > <soap:Body> > <soap:Fault> > <soap:Code> > <soap:Value>soap:Receiver</soap:Value> > </soap:Code> > <soap:Reason> > <soap:Text xml:lang="en">Unauthorized</soap:Text> > </soap:Reason> > </soap:Fault> > </soap:Body> > > > I’ve found the QName definition in WSSecurityException but I can’t easily > throw a WSSecurityException because it’s not a RuntimeException. > > So, the only approach which worked is this: > throw new SoapFault("Unauthorized", new > QName(http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd, > "FailedAuthentication")); > > Then I get this soap fault back: > > <soap:Body> > <soap:Fault> > <soap:Code> > <soap:Value>soap:Receiver</soap:Value> > <soap:Subcode> > <soap:Value > xmlns:ns1=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>ns1:FailedAuthentication</soap:Value> > </soap:Subcode> > </soap:Code> > <soap:Reason> > <soap:Text xml:lang="en">Unauthorized</soap:Text> > </soap:Reason> > </soap:Fault> > </soap:Body> > > Is there a reason why an AccessDeniedException doesn’t return a standard > WS-Security SOAP Fault? > > Thanks for your feedback. > > Cheers > Oli > > > Gesendet von Mail<https://go.microsoft.com/fwlink/?LinkId=550986> für Windows >
