cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1559133 - in /cxf/branches/2.7.x-fixes: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/
Date Fri, 17 Jan 2014 15:15:32 GMT
Author: coheigea
Date: Fri Jan 17 15:15:32 2014
New Revision: 1559133

URL: http://svn.apache.org/r1559133
Log:
Standardizing security error messages


Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
	rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JFaultCodeTest.java
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java

Modified:
    cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
    cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java

Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1559133&r1=1559132&r2=1559133&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Fri Jan 17 15:15:32 2014
@@ -835,11 +835,15 @@ public class WSS4JInInterceptor extends 
     private SoapFault 
     createSoapFault(SoapVersion version, WSSecurityException e) {
         SoapFault fault;
+        String errorMessage = WSS4JUtils.getSafeExceptionMessage(e);
+        if (errorMessage == null) {
+            errorMessage = e.getMessage();
+        }
         javax.xml.namespace.QName faultCode = e.getFaultCode();
         if (version.getVersion() == 1.1 && faultCode != null) {
-            fault = new SoapFault(e.getMessage(), e, faultCode);
+            fault = new SoapFault(errorMessage, e, faultCode);
         } else {
-            fault = new SoapFault(e.getMessage(), e, version.getSender());
+            fault = new SoapFault(errorMessage, e, version.getSender());
             if (version.getVersion() != 1.1 && faultCode != null) {
                 fault.setSubCode(faultCode);
             }

Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java?rev=1559133&r1=1559132&r2=1559133&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
Fri Jan 17 15:15:32 2014
@@ -21,13 +21,16 @@ package org.apache.cxf.ws.security.wss4j
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import javax.xml.namespace.QName;
 
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.service.model.EndpointInfo;
 import org.apache.cxf.ws.security.cache.ReplayCacheFactory;
+import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.cache.ReplayCache;
 
 /**
@@ -35,6 +38,21 @@ import org.apache.ws.security.cache.Repl
  * UsernameTokenInterceptor.
  */
 public final class WSS4JUtils {
+    
+    // FAULT error messages
+    public static final String UNSUPPORTED_TOKEN_ERR = "An unsupported token was provided";
+    public static final String UNSUPPORTED_ALGORITHM_ERR = 
+        "An unsupported signature or encryption algorithm was used";
+    public static final String INVALID_SECURITY_ERR = 
+        "An error was discovered processing the <wsse:Security> header.";
+    public static final String INVALID_SECURITY_TOKEN_ERR = 
+        "An invalid security token was provided";
+    public static final String FAILED_AUTHENTICATION_ERR = 
+        "The security token could not be authenticated or authorized";
+    public static final String FAILED_CHECK_ERR = "The signature or decryption was invalid";
+    public static final String SECURITY_TOKEN_UNAVAILABLE_ERR = 
+        "Referenced security token could not be retrieved";
+    public static final String MESSAGE_EXPIRED_ERR = "The message has expired";
 
     private WSS4JUtils() {
         // complete
@@ -137,4 +155,37 @@ public final class WSS4JUtils {
         return actionResultList;
     }
 
+    /**
+     * Map a WSSecurityException FaultCode to a standard error String, so as not to leak
+     * internal configuration to an attacker.
+     */
+    public static String getSafeExceptionMessage(WSSecurityException ex) {
+        // Allow a Replay Attack message to be returned, otherwise it could be confusing
+        // for clients who don't understand the default caching functionality of WSS4J/CXF
+        if (ex.getMessage() != null && ex.getMessage().contains("replay attack"))
{
+            return ex.getMessage();
+        }
+        
+        String errorMessage = null;
+        QName faultCode = ex.getFaultCode();
+        if (WSConstants.UNSUPPORTED_SECURITY_TOKEN.equals(faultCode)) {
+            errorMessage = UNSUPPORTED_TOKEN_ERR;
+        } else if (WSConstants.UNSUPPORTED_ALGORITHM.equals(faultCode)) {
+            errorMessage = UNSUPPORTED_ALGORITHM_ERR;
+        } else if (WSConstants.INVALID_SECURITY.equals(faultCode)) {
+            errorMessage = INVALID_SECURITY_ERR;
+        } else if (WSConstants.INVALID_SECURITY_TOKEN.equals(faultCode)) {
+            errorMessage = INVALID_SECURITY_TOKEN_ERR;
+        } else if (WSConstants.FAILED_AUTHENTICATION.equals(faultCode)) {
+            errorMessage = FAILED_AUTHENTICATION_ERR;
+        } else if (WSConstants.FAILED_CHECK.equals(faultCode)) {
+            errorMessage = FAILED_CHECK_ERR;
+        } else if (WSConstants.SECURITY_TOKEN_UNAVAILABLE.equals(faultCode)) {
+            errorMessage = SECURITY_TOKEN_UNAVAILABLE_ERR;
+        } else if (WSConstants.MESSAGE_EXPIRED.equals(faultCode)) {
+            errorMessage = MESSAGE_EXPIRED_ERR;
+        }
+        return errorMessage;
+        
+    }
 }

Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=1559133&r1=1559132&r2=1559133&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
(original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
Fri Jan 17 15:15:32 2014
@@ -609,7 +609,9 @@ public class SecurityPolicyTest extends 
             // Different errors using different JDKs...
             assertTrue(errorMessage.contains("Certificate has been revoked")
                        || errorMessage.contains("Certificate revocation")
-                       || errorMessage.contains("Error during certificate path validation"));
+                       || errorMessage.contains("Error during certificate path validation")
+                       || errorMessage.contains(
+                           "The security token could not be authenticated or authorized"));
         }
         
         ((java.io.Closeable)pt).close();



Mime
View raw message