Return-Path: 
 <commits-return-30519-apmail-cxf-commits-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-commits-archive@www.apache.org
Delivered-To: apmail-cxf-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 8F9F5107C4
	for <apmail-cxf-commits-archive@www.apache.org>;
 Fri, 17 Jan 2014 15:27:12 +0000 (UTC)
Received: (qmail 39678 invoked by uid 500); 17 Jan 2014 15:27:10 -0000
Delivered-To: apmail-cxf-commits-archive@cxf.apache.org
Received: (qmail 39562 invoked by uid 500); 17 Jan 2014 15:27:09 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 39555 invoked by uid 99); 17 Jan 2014 15:27:09 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Jan 2014 15:27:09 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Jan 2014 15:27:07 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
	by eris.apache.org (Postfix) with ESMTP id BBBF22388A3B;
	Fri, 17 Jan 2014 15:26:47 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1559148 - in /cxf/branches/2.6.x-fixes:
 rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
 systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/
Date: Fri, 17 Jan 2014 15:26:47 -0000
To: commits@cxf.apache.org
From: coheigea@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20140117152647.BBBF22388A3B@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: coheigea
Date: Fri Jan 17 15:26:47 2014
New Revision: 1559148

URL: http://svn.apache.org/r1559148
Log:
Standardizing security error messages

Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
	rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JFaultCodeTest.java
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java


Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java

Modified:
    cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
    cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java

Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1559148&r1=1559147&r2=1559148&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Fri Jan 17 15:26:47 2014
@@ -762,11 +762,15 @@ public class WSS4JInInterceptor extends 
     private SoapFault 
     createSoapFault(SoapVersion version, WSSecurityException e) {
         SoapFault fault;
+        String errorMessage = WSS4JUtils.getSafeExceptionMessage(e);
+        if (errorMessage == null) {
+            errorMessage = e.getMessage();
+        }
         javax.xml.namespace.QName faultCode = e.getFaultCode();
         if (version.getVersion() == 1.1 && faultCode != null) {
-            fault = new SoapFault(e.getMessage(), e, faultCode);
+            fault = new SoapFault(errorMessage, e, faultCode);
         } else {
-            fault = new SoapFault(e.getMessage(), e, version.getSender());
+            fault = new SoapFault(errorMessage, e, version.getSender());
             if (version.getVersion() != 1.1 && faultCode != null) {
                 fault.setSubCode(faultCode);
             }

Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java?rev=1559148&r1=1559147&r2=1559148&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java (original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java Fri Jan 17 15:26:47 2014
@@ -18,11 +18,15 @@
  */
 package org.apache.cxf.ws.security.wss4j;
 
+import javax.xml.namespace.QName;
+
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.service.model.EndpointInfo;
 import org.apache.cxf.ws.security.cache.ReplayCacheFactory;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.cache.ReplayCache;
 
 /**
@@ -31,6 +35,22 @@ import org.apache.ws.security.cache.Repl
  */
 public final class WSS4JUtils {
 
+    // FAULT error messages
+    public static final String UNSUPPORTED_TOKEN_ERR = "An unsupported token was provided";
+    public static final String UNSUPPORTED_ALGORITHM_ERR = 
+        "An unsupported signature or encryption algorithm was used";
+    public static final String INVALID_SECURITY_ERR = 
+        "An error was discovered processing the <wsse:Security> header.";
+    public static final String INVALID_SECURITY_TOKEN_ERR = 
+        "An invalid security token was provided";
+    public static final String FAILED_AUTHENTICATION_ERR = 
+        "The security token could not be authenticated or authorized";
+    public static final String FAILED_CHECK_ERR = "The signature or decryption was invalid";
+    public static final String SECURITY_TOKEN_UNAVAILABLE_ERR = 
+        "Referenced security token could not be retrieved";
+    public static final String MESSAGE_EXPIRED_ERR = "The message has expired";
+
+
     private WSS4JUtils() {
         // complete
     }
@@ -85,5 +105,37 @@ public final class WSS4JUtils {
         return null;
     }
 
-
+    /**
+     * Map a WSSecurityException FaultCode to a standard error String, so as not to leak
+     * internal configuration to an attacker.
+     */
+    public static String getSafeExceptionMessage(WSSecurityException ex) {
+        // Allow a Replay Attack message to be returned, otherwise it could be confusing
+        // for clients who don't understand the default caching functionality of WSS4J/CXF
+        if (ex.getMessage() != null && ex.getMessage().contains("replay attack")) {
+            return ex.getMessage();
+        }
+        
+        String errorMessage = null;
+        QName faultCode = ex.getFaultCode();
+        if (WSConstants.UNSUPPORTED_SECURITY_TOKEN.equals(faultCode)) {
+            errorMessage = UNSUPPORTED_TOKEN_ERR;
+        } else if (WSConstants.UNSUPPORTED_ALGORITHM.equals(faultCode)) {
+            errorMessage = UNSUPPORTED_ALGORITHM_ERR;
+        } else if (WSConstants.INVALID_SECURITY.equals(faultCode)) {
+            errorMessage = INVALID_SECURITY_ERR;
+        } else if (WSConstants.INVALID_SECURITY_TOKEN.equals(faultCode)) {
+            errorMessage = INVALID_SECURITY_TOKEN_ERR;
+        } else if (WSConstants.FAILED_AUTHENTICATION.equals(faultCode)) {
+            errorMessage = FAILED_AUTHENTICATION_ERR;
+        } else if (WSConstants.FAILED_CHECK.equals(faultCode)) {
+            errorMessage = FAILED_CHECK_ERR;
+        } else if (WSConstants.SECURITY_TOKEN_UNAVAILABLE.equals(faultCode)) {
+            errorMessage = SECURITY_TOKEN_UNAVAILABLE_ERR;
+        } else if (WSConstants.MESSAGE_EXPIRED.equals(faultCode)) {
+            errorMessage = MESSAGE_EXPIRED_ERR;
+        }
+        return errorMessage;
+        
+    }
 }

Modified: cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=1559148&r1=1559147&r2=1559148&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java (original)
+++ cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java Fri Jan 17 15:26:47 2014
@@ -609,7 +609,9 @@ public class SecurityPolicyTest extends 
             // Different errors using different JDKs...
             assertTrue(errorMessage.contains("Certificate has been revoked")
                        || errorMessage.contains("Certificate revocation")
-                       || errorMessage.contains("Error during certificate path validation"));
+                       || errorMessage.contains("Error during certificate path validation")
+                       || errorMessage.contains(
+                           "The security token could not be authenticated or authorized"));
         }
         
         ((java.io.Closeable)pt).close();