cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1559126 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/ systests/ws-sec...
Date Fri, 17 Jan 2014 14:56:09 GMT
Author: coheigea
Date: Fri Jan 17 14:56:09 2014
New Revision: 1559126

URL: http://svn.apache.org/r1559126
Log:
Allow returning Replay Attack messages

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1559126&r1=1559125&r2=1559126&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Fri Jan 17 14:56:09 2014
@@ -801,11 +801,11 @@ public class WSS4JInInterceptor extends 
     private SoapFault 
     createSoapFault(SoapVersion version, WSSecurityException e) {
         SoapFault fault;
-        javax.xml.namespace.QName faultCode = e.getFaultCode();
-        String errorMessage = WSS4JUtils.mapFaultCodeToMessage(faultCode);
+        String errorMessage = WSS4JUtils.getSafeExceptionMessage(e);
         if (errorMessage == null) {
             errorMessage = e.getMessage();
         }
+        javax.xml.namespace.QName faultCode = e.getFaultCode();
         if (version.getVersion() == 1.1 && faultCode != null) {
             fault = new SoapFault(errorMessage, e, faultCode);
         } else {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java?rev=1559126&r1=1559125&r2=1559126&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
Fri Jan 17 14:56:09 2014
@@ -41,6 +41,7 @@ import org.apache.cxf.ws.security.tokens
 import org.apache.cxf.ws.security.tokenstore.TokenStoreFactory;
 import org.apache.wss4j.common.cache.ReplayCache;
 import org.apache.wss4j.common.cache.ReplayCacheFactory;
+import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
@@ -231,10 +232,18 @@ public final class WSS4JUtils {
     }
 
     /**
-     * Map a standard FaultCode QName to a standard error String
+     * Map a WSSecurityException FaultCode to a standard error String, so as not to leak
+     * internal configuration to an attacker.
      */
-    public static String mapFaultCodeToMessage(QName faultCode) {
+    public static String getSafeExceptionMessage(WSSecurityException ex) {
+        // Allow a Replay Attack message to be returned, otherwise it could be confusing
+        // for clients who don't understand the default caching functionality of WSS4J/CXF
+        if (ex.getMessage() != null && ex.getMessage().contains("replay attack"))
{
+            return ex.getMessage();
+        }
+        
         String errorMessage = null;
+        QName faultCode = ex.getFaultCode();
         if (WSConstants.UNSUPPORTED_SECURITY_TOKEN.equals(faultCode)) {
             errorMessage = UNSUPPORTED_TOKEN_ERR;
         } else if (WSConstants.UNSUPPORTED_ALGORITHM.equals(faultCode)) {

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java?rev=1559126&r1=1559125&r2=1559126&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
Fri Jan 17 14:56:09 2014
@@ -150,7 +150,7 @@ public class ActionTest extends Abstract
             port.doubleIt(25);
             fail("Failure expected on a replayed UsernameToken");
         } catch (javax.xml.ws.soap.SOAPFaultException ex) {
-            String error = "An error was discovered processing the <wsse:Security>
header.";
+            String error = "A replay attack has been detected";
             assertTrue(ex.getMessage().contains(error));
         }
         
@@ -212,7 +212,7 @@ public class ActionTest extends Abstract
             port.doubleIt(25);
             fail("Failure expected on a replayed Timestamp");
         } catch (javax.xml.ws.soap.SOAPFaultException ex) {
-            String error = "An error was discovered processing the <wsse:Security>
header.";
+            String error = "A replay attack has been detected";
             assertTrue(ex.getMessage().contains(error));
         }
         

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1559126&r1=1559125&r2=1559126&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
Fri Jan 17 14:56:09 2014
@@ -953,9 +953,8 @@ public class SamlTokenTest extends Abstr
             saml2Port.doubleIt(25);
             fail("Failure expected on a replayed SAML Assertion");
         } catch (javax.xml.ws.soap.SOAPFaultException ex) {
-            String error = "An error was discovered processing the <wsse:Security>
header.";
-            assertTrue(ex.getMessage().contains(error)
-                       || ex.getMessage().contains("A replay attack has been detected"));
+            String error = "A replay attack has been detected";
+            assertTrue(ex.getMessage().contains(error));
         }
         
         ((java.io.Closeable)saml2Port).close();

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java?rev=1559126&r1=1559125&r2=1559126&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
Fri Jan 17 14:56:09 2014
@@ -369,7 +369,7 @@ public class UsernameTokenTest extends A
                 utPort.doubleIt(25);
                 fail("Failure expected on a replayed UsernameToken");
             } catch (javax.xml.ws.soap.SOAPFaultException ex) {
-                String error = "An error was discovered processing the <wsse:Security>
header.";
+                String error = "A replay attack has been detected";
                 String error2 = "The security token could not be authenticated or authorized";
                 assertTrue(ex.getMessage().contains(error) || ex.getMessage().contains(error2));
             }

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1559126&r1=1559125&r2=1559126&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
Fri Jan 17 14:56:09 2014
@@ -925,7 +925,7 @@ public class X509TokenTest extends Abstr
             x509Port.doubleIt(25);
             fail("Failure expected on a replayed Timestamp");
         } catch (javax.xml.ws.soap.SOAPFaultException ex) {
-            String error = "An error was discovered processing the <wsse:Security>
header.";
+            String error = "A replay attack has been detected";
             assertTrue(ex.getMessage().contains(error)
                        || ex.getMessage().contains("The message has expired"));
         }



Mime
View raw message