cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6133] Replacing SecurityException with JwsExceptiion in the jws code
Date Fri, 03 Apr 2015 10:37:19 GMT
Repository: cxf
Updated Branches:
  refs/heads/master ff1068002 -> 318cfdaeb


[CXF-6133] Replacing SecurityException with JwsExceptiion in the jws code


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/318cfdae
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/318cfdae
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/318cfdae

Branch: refs/heads/master
Commit: 318cfdaeb15b8d230829d120f894bec6f15bc836
Parents: ff10680
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Fri Apr 3 11:36:59 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Fri Apr 3 11:36:59 2015 +0100

----------------------------------------------------------------------
 .../cxf/rs/security/jose/JoseException.java     | 10 ++----
 .../apache/cxf/rs/security/jose/JoseUtils.java  |  9 +++--
 .../jaxrs/AbstractJwsJsonReaderProvider.java    |  7 +++-
 .../jaxrs/AbstractJwsJsonWriterProvider.java    |  7 +++-
 .../jose/jaxrs/JwsClientResponseFilter.java     |  3 +-
 .../jose/jaxrs/JwsJsonClientResponseFilter.java |  3 +-
 .../jaxrs/JwtAuthenticationClientFilter.java    |  3 +-
 .../jose/jaxrs/JwtAuthenticationFilter.java     |  7 ++--
 .../jose/jaxrs/JwtJwsAuthenticationFilter.java  |  3 +-
 .../cxf/rs/security/jose/jwe/JweException.java  | 32 ++++++++++++-----
 .../jose/jws/AbstractJwsSignatureProvider.java  | 11 +++---
 .../jose/jws/EcDsaJwsSignatureVerifier.java     |  7 ++--
 .../jose/jws/HmacJwsSignatureProvider.java      | 10 +++---
 .../jose/jws/HmacJwsSignatureVerifier.java      | 13 +++++--
 .../security/jose/jws/JwsCompactConsumer.java   | 17 ++++++---
 .../cxf/rs/security/jose/jws/JwsException.java  | 28 ++++++++++-----
 .../rs/security/jose/jws/JwsJsonConsumer.java   | 38 ++++++++++----------
 .../security/jose/jws/JwsJsonOutputStream.java  | 38 +++++++++-----------
 .../rs/security/jose/jws/JwsJsonProducer.java   | 15 +++++---
 .../jose/jws/JwsJsonSignatureEntry.java         | 20 +++++++----
 .../rs/security/jose/jws/JwsOutputStream.java   | 16 +++------
 .../cxf/rs/security/jose/jws/JwsUtils.java      | 26 +++++++++-----
 .../jws/PrivateKeyJwsSignatureProvider.java     | 14 +++-----
 .../jose/jws/PublicKeyJwsSignatureVerifier.java | 16 ++++++---
 24 files changed, 212 insertions(+), 141 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseException.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseException.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseException.java
index 79fbad2..a71a098 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseException.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseException.java
@@ -22,16 +22,12 @@ public class JoseException extends RuntimeException {
 
     private static final long serialVersionUID = 4118589816228511524L;
     public JoseException() {
-        
+
     }
-    public JoseException(String text) {
-        super(text);
+    public JoseException(String error) {
+        super(error);
     }
     public JoseException(Throwable cause) {
         super(cause);
     }
-    public JoseException(String text, Throwable cause) {
-        super(text, cause);
-    }
-    //Jose Error enum can be introduced too
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java
index 122c3eb..f3e25c1 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java
@@ -22,12 +22,14 @@ import java.io.UnsupportedEncodingException;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 
 public final class JoseUtils {
-    
+    private static final Logger LOG = LogUtils.getL7dLogger(JoseUtils.class);
     private JoseUtils() {
         
     }
@@ -57,7 +59,8 @@ public final class JoseUtils {
         if (requestContext == null && headerContext != null
             || requestContext != null && headerContext == null
             || !requestContext.equals(headerContext)) {
-            throw new SecurityException();
+            LOG.warning("Invalid JOSE context property");
+            throw new JoseException();
         }
     }
     
@@ -86,7 +89,7 @@ public final class JoseUtils {
         try {
             return new String(decode(encoded), "UTF-8");
         } catch (UnsupportedEncodingException ex) {
-            throw new SecurityException(ex);
+            throw new JoseException(ex);
         }
         
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
index 17f31b5..094991e 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
@@ -22,15 +22,19 @@ import java.util.Arrays;
 import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 
 public class AbstractJwsJsonReaderProvider {
+    protected static final Logger LOG = LogUtils.getL7dLogger(AbstractJwsJsonReaderProvider.class);
     private static final String RSSEC_SIGNATURE_IN_LIST_PROPS = "rs.security.signature.in.list.properties";
     private static final String RSSEC_SIGNATURE_LIST_PROPS = "rs.security.signature.list.properties";
     
@@ -53,7 +57,8 @@ public class AbstractJwsJsonReaderProvider {
         Object propLocsProp = 
             MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_IN_LIST_PROPS, RSSEC_SIGNATURE_LIST_PROPS);
         if (propLocsProp == null) {
-            throw new SecurityException();
+            LOG.warning("JWS JSON init properties resource is not identified");
+            throw new JwsException(JwsException.Error.NO_INIT_PROPERTIES);
         }
         List<String> propLocs = null;
         if (propLocsProp instanceof String) { 

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonWriterProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonWriterProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonWriterProvider.java
index db10c62..d5068e2 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonWriterProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonWriterProvider.java
@@ -25,18 +25,22 @@ import java.util.Arrays;
 import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
 import org.apache.cxf.rs.security.jose.jws.JwsJsonProducer;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 
 public class AbstractJwsJsonWriterProvider {
+    protected static final Logger LOG = LogUtils.getL7dLogger(AbstractJwsJsonWriterProvider.class);
     private static final String RSSEC_SIGNATURE_OUT_LIST_PROPS = "rs.security.signature.out.list.properties";
     private static final String RSSEC_SIGNATURE_LIST_PROPS = "rs.security.signature.list.properties";
     
@@ -57,7 +61,8 @@ public class AbstractJwsJsonWriterProvider {
         Object propLocsProp = 
             MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_OUT_LIST_PROPS, RSSEC_SIGNATURE_LIST_PROPS);
         if (propLocsProp == null) {
-            throw new SecurityException();
+            LOG.warning("JWS JSON init properties resource is not identified");
+            throw new JwsException(JwsException.Error.NO_INIT_PROPERTIES);
         }
         List<String> propLocs = null;
         if (propLocsProp instanceof String) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
index 46a5813..e70bead 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
@@ -29,6 +29,7 @@ import javax.ws.rs.client.ClientResponseFilter;
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.rs.security.jose.JoseUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 
 @Priority(Priorities.JWS_CLIENT_READ_PRIORITY)
@@ -38,7 +39,7 @@ public class JwsClientResponseFilter extends AbstractJwsReaderProvider implement
         JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(res.getEntityStream()));
         JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(p.getJoseHeaders());
         if (!p.verifySignatureWith(theSigVerifier)) {
-            throw new SecurityException();
+            throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
         }
         byte[] bytes = p.getDecodedJwsPayloadBytes();
         res.setEntityStream(new ByteArrayInputStream(bytes));

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
index ecd0912..728c19d 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
@@ -29,6 +29,7 @@ import javax.ws.rs.client.ClientResponseFilter;
 
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.rs.security.jose.JoseUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
 import org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer;
 import org.apache.cxf.rs.security.jose.jws.JwsJsonSignatureEntry;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
@@ -41,7 +42,7 @@ public class JwsJsonClientResponseFilter extends AbstractJwsJsonReaderProvider i
         JwsJsonConsumer p = new JwsJsonConsumer(IOUtils.readStringFromStream(res.getEntityStream()));
         if (isStrictVerification() && p.getSignatureEntries().size() != theSigVerifiers.size()
             || !p.verifySignatureWith(theSigVerifiers)) {
-            throw new SecurityException();
+            throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
         }
         byte[] bytes = p.getDecodedJwsPayloadBytes();
         res.setEntityStream(new ByteArrayInputStream(bytes));

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
index d8bd8c2..821a36a 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
@@ -31,6 +31,7 @@ import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.configuration.security.AuthorizationPolicy;
 import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.JoseException;
 import org.apache.cxf.rs.security.jose.JoseHeaders;
 import org.apache.cxf.rs.security.jose.JoseUtils;
 import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer;
@@ -58,7 +59,7 @@ public class JwtAuthenticationClientFilter extends AbstractJoseJwtProducer
             }
         }
         if (jwt == null) {
-            throw new SecurityException();
+            throw new JoseException("JWT token is not available");
         }
         JoseUtils.setJoseMessageContextProperty(jwt.getHeaders(),
                                                 getContextPropertyValue());

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
index 32de426..0c32f55 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -19,6 +19,7 @@
 package org.apache.cxf.rs.security.jose.jaxrs;
 
 import java.io.IOException;
+import java.util.logging.Logger;
 
 import javax.annotation.Priority;
 import javax.ws.rs.Priorities;
@@ -27,9 +28,11 @@ import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.container.PreMatching;
 import javax.ws.rs.core.HttpHeaders;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.security.SimplePrincipal;
 import org.apache.cxf.common.security.SimpleSecurityContext;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.JoseException;
 import org.apache.cxf.rs.security.jose.JoseUtils;
 import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
@@ -38,7 +41,7 @@ import org.apache.cxf.security.SecurityContext;
 @PreMatching
 @Priority(Priorities.AUTHENTICATION)
 public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements ContainerRequestFilter {
-
+    protected static final Logger LOG = LogUtils.getL7dLogger(JwtAuthenticationFilter.class);
     private boolean jweOnly;
     
     @Override
@@ -46,7 +49,7 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements
         String auth = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
         String[] parts = auth == null ? null : auth.split(" ");
         if (parts == null || !"JWT".equals(parts[0]) || parts.length != 2) {
-            throw new SecurityException();
+            throw new JoseException("JWT scheme is expected");
         }
         JwtToken jwt = super.getJwtToken(parts[1], jweOnly);
         JoseUtils.setMessageContextProperty(jwt.getHeaders());

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtJwsAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtJwsAuthenticationFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtJwsAuthenticationFilter.java
index bf1754c..63b18a8 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtJwsAuthenticationFilter.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtJwsAuthenticationFilter.java
@@ -28,6 +28,7 @@ import javax.ws.rs.core.HttpHeaders;
 
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.jose.JoseException;
 import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer;
 import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
@@ -44,7 +45,7 @@ public class JwtJwsAuthenticationFilter extends AbstractJwsReaderProvider implem
         String authHeader = context.getHeaderString(HttpHeaders.AUTHORIZATION);
         String[] schemeData = authHeader.split(" ");
         if (schemeData.length != 2 || !JWT_SCHEME_PROPERTY.equals(schemeData[0])) {
-            throw new SecurityException();
+            throw new JoseException("JWT scheme is expected");
         }
         
         JwsJwtCompactConsumer p = new JwsJwtCompactConsumer(schemeData[1]);

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
index 8a6424e..fdfd4ca 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
@@ -23,17 +23,31 @@ import org.apache.cxf.rs.security.jose.JoseException;
 public class JweException extends JoseException {
 
     private static final long serialVersionUID = 4118589816228511524L;
-    public JweException() {
-        
+    private Error status;
+    public JweException(Error status) {
+        this(status, null);
     }
-    public JweException(String text) {
-        super(text);
-    }
-    public JweException(Throwable cause) {
+    public JweException(Error status, Throwable cause) {
         super(cause);
+        this.status = status;
+    }
+    public Error getError() {
+        return status;
     }
-    public JweException(String text, Throwable cause) {
-        super(text, cause);
+    public static enum Error {
+        NO_ENCRYPTOR,
+        NO_DECRYPTOR,
+        NO_INIT_PROPERTIES,
+        KEY_ALGORITHM_NOT_SET,
+        CONTENT_ALGORITHM_NOT_SET,
+        INVALID_KEY_ALGORITHM,
+        INVALID_CONTENT_ALGORITHM,
+        INVALID_CONTENT_KEY,
+        KEY_ENCRYPTION_FAILURE,
+        CONTENT_ENCRYPTION_FAILURE,
+        KEY_DECRYPTION_FAILURE,
+        CONTENT_DECRYPTION_FAILURE,
+        INVALID_COMPACT_JWE,
+        INVALID_JSON_JWE
     }
-    // Jwe Error enum can be introduced too
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
index 4b77c47..57ceb17 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
@@ -64,11 +64,14 @@ public abstract class AbstractJwsSignatureProvider implements JwsSignatureProvid
     protected abstract JwsSignature doCreateJwsSignature(JoseHeaders headers);
     
     protected void checkAlgorithm(String algo) {
-        String error = "Invalid signature algorithm";
         if (algo == null) {
-            LOG.warning(error + ":" + algo);
-            throw new JwsException(error);
+            LOG.warning("Signature algorithm is not set");
+            throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
+        }
+        if (!isValidAlgorithmFamily(algo)) {
+            LOG.warning("Invalid signature algorithm: " + algo);
+            throw new JwsException(JwsException.Error.INVALID_ALGORITHM);
         }
     }
-
+    protected abstract boolean isValidAlgorithmFamily(String algo);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
index b0bdae4..1a287c4 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
@@ -43,8 +43,11 @@ public class EcDsaJwsSignatureVerifier extends PublicKeyJwsSignatureVerifier {
     }
     @Override
     public boolean verify(JoseHeaders headers, String unsignedText, byte[] signature) {
-        if (SIGNATURE_LENGTH_MAP.get(super.getAlgorithm().getJwaName()) != signature.length) {
-            throw new SecurityException();
+        final String algoName = super.getAlgorithm().getJwaName();
+        if (SIGNATURE_LENGTH_MAP.get(algoName) != signature.length) {
+            LOG.warning("Algorithm " + algoName + " signature length is " + SIGNATURE_LENGTH_MAP.get(algoName) 
+                        + ", actual length is " + signature.length);
+            throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
         }
         byte[] der = signatureToDer(signature);
         return super.verify(headers, unsignedText, der);

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
index f272dad..d904de9 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
@@ -46,7 +46,8 @@ public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider {
         try {
             this.key = Base64UrlUtility.decode(encodedKey);
         } catch (Base64Exception ex) {
-            throw new SecurityException();
+            LOG.warning("Hmac key can not be decoded");
+            throw new JwsException(JwsException.Error.INVALID_KEY, ex);
         }
     }
     
@@ -68,10 +69,7 @@ public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider {
         };
     }
     @Override
-    protected void checkAlgorithm(String algo) {
-        super.checkAlgorithm(algo);
-        if (!AlgorithmUtils.isHmacSign(algo)) {
-            throw new SecurityException();
-        }
+    protected boolean isValidAlgorithmFamily(String algo) {
+        return AlgorithmUtils.isHmacSign(algo);
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
index c02ee70..528ccc7 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
@@ -20,7 +20,9 @@ package org.apache.cxf.rs.security.jose.jws;
 
 import java.security.spec.AlgorithmParameterSpec;
 import java.util.Arrays;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.crypto.HmacUtils;
 import org.apache.cxf.rs.security.jose.JoseHeaders;
 import org.apache.cxf.rs.security.jose.JoseUtils;
@@ -28,6 +30,7 @@ import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
 
 public class HmacJwsSignatureVerifier implements JwsSignatureVerifier {
+    protected static final Logger LOG = LogUtils.getL7dLogger(HmacJwsSignatureVerifier.class);
     private byte[] key;
     private AlgorithmParameterSpec hmacSpec;
     private SignatureAlgorithm supportedAlgo;
@@ -62,10 +65,14 @@ public class HmacJwsSignatureVerifier implements JwsSignatureVerifier {
     }
     
     protected String checkAlgorithm(String algo) {
-        if (algo == null 
-            || !AlgorithmUtils.isHmacSign(algo)
+        if (algo == null) {
+            LOG.warning("Signature algorithm is not set");
+            throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
+        }
+        if (!AlgorithmUtils.isHmacSign(algo)
             || !algo.equals(supportedAlgo.getJwaName())) {
-            throw new SecurityException();
+            LOG.warning("Invalid signature algorithm: " + algo);
+            throw new JwsException(JwsException.Error.INVALID_ALGORITHM);
         }
         return algo;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
index c6ee9cd..27f9551 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
@@ -20,7 +20,9 @@ package org.apache.cxf.rs.security.jose.jws;
 
 import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPublicKey;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.rs.security.jose.JoseHeaders;
 import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
@@ -28,6 +30,7 @@ import org.apache.cxf.rs.security.jose.JoseUtils;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 
 public class JwsCompactConsumer {
+    protected static final Logger LOG = LogUtils.getL7dLogger(JwsCompactConsumer.class);
     private JoseHeadersReaderWriter reader = new JoseHeadersReaderWriter();
     private String encodedSequence;
     private String encodedSignature;
@@ -51,7 +54,8 @@ public class JwsCompactConsumer {
             if (parts.length == 2 && encodedJws.endsWith(".")) {
                 encodedSignature = "";
             } else {
-                throw new SecurityException("Invalid JWS Compact sequence");
+                LOG.warning("Compact JWS does not have 3 parts");
+                throw new JwsException(JwsException.Error.INVALID_COMPACT_JWS);
             }
         } else {
             encodedSignature = parts[2];
@@ -59,7 +63,8 @@ public class JwsCompactConsumer {
         String encodedJwsPayload = parts[1];
         if (encodedDetachedPayload != null) {
             if (!StringUtils.isEmpty(encodedJwsPayload)) {
-                throw new SecurityException("Invalid JWS Compact sequence");
+                LOG.warning("Compact JWS includes a payload expected to be detached");
+                throw new JwsException(JwsException.Error.INVALID_COMPACT_JWS);
             }
             encodedJwsPayload = encodedDetachedPayload;
         }
@@ -87,8 +92,9 @@ public class JwsCompactConsumer {
     }
     public JoseHeaders getJoseHeaders() {
         JoseHeaders joseHeaders = reader.fromJsonHeaders(headersJson);
-        if (joseHeaders.getUpdateCount() != null) { 
-            throw new SecurityException("Duplicate headers have been detected");
+        if (joseHeaders.getUpdateCount() != null) {
+            LOG.warning("Duplicate headers have been detected");
+            throw new JwsException(JwsException.Error.INVALID_COMPACT_JWS);
         }
         return joseHeaders;
     }
@@ -97,9 +103,10 @@ public class JwsCompactConsumer {
             if (validator.verify(getJoseHeaders(), getUnsignedEncodedSequence(), getDecodedSignature())) {
                 return true;
             }
-        } catch (SecurityException ex) {
+        } catch (JwsException ex) {
             // ignore
         }
+        LOG.warning("Invalid Signature");
         return false;
     }
     public boolean verifySignatureWith(JsonWebKey key) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsException.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsException.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsException.java
index 5073c7d..ccaa9b8 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsException.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsException.java
@@ -23,17 +23,27 @@ import org.apache.cxf.rs.security.jose.JoseException;
 public class JwsException extends JoseException {
 
     private static final long serialVersionUID = 4118589816228511524L;
-    public JwsException() {
-        
+    private Error status;
+    public JwsException(Error status) {
+        this(status, null);
     }
-    public JwsException(String text) {
-        super(text);
-    }
-    public JwsException(Throwable cause) {
+    public JwsException(Error status, Throwable cause) {
         super(cause);
+        this.status = status;
+    }
+    public Error getError() {
+        return status;
     }
-    public JwsException(String text, Throwable cause) {
-        super(text, cause);
+    public static enum Error {
+        NO_PROVIDER,
+        NO_VERIFIER,
+        NO_INIT_PROPERTIES,
+        ALGORITHM_NOT_SET,
+        INVALID_ALGORITHM,
+        INVALID_KEY,
+        SIGNATURE_FAILURE,
+        INVALID_SIGNATURE,
+        INVALID_COMPACT_JWS,
+        INVALID_JSON_JWS
     }
-    // Jws Error enum can be introduced too
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java
index ce9bf27..2eaf128 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java
@@ -23,9 +23,11 @@ import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.logging.Logger;
 
 import javax.ws.rs.core.MultivaluedMap;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.jaxrs.provider.json.JsonMapObject;
@@ -35,7 +37,7 @@ import org.apache.cxf.rs.security.jose.JoseUtils;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 
 public class JwsJsonConsumer {
-
+    protected static final Logger LOG = LogUtils.getL7dLogger(JwsJsonConsumer.class);
     private String jwsSignedDocument;
     private String encodedJwsPayload;
     private List<JwsJsonSignatureEntry> signatureEntries = new LinkedList<JwsJsonSignatureEntry>();
@@ -60,15 +62,20 @@ public class JwsJsonConsumer {
         encodedJwsPayload = (String)jsonObjectMap.get("payload");
         if (encodedJwsPayload == null) {
             encodedJwsPayload = encodedDetachedPayload;
+        } else if (encodedDetachedPayload != null) {
+            LOG.warning("JSON JWS includes a payload expected to be detached");
+            throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
         }
         if (encodedJwsPayload == null) {
-            throw new SecurityException("Invalid JWS JSON sequence: no payload is available");
+            LOG.warning("JSON JWS has no payload");
+            throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
         }
         
         List<Map<String, Object>> signatureArray = CastUtils.cast((List<?>)jsonObjectMap.get("signatures"));
         if (signatureArray != null) {
             if (jsonObjectMap.containsKey("signature")) {
-                throw new SecurityException("Invalid JWS JSON sequence");
+                LOG.warning("JSON JWS has a flattened 'signature' element and a 'signatures' object");
+                throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
             }
             for (Map<String, Object> signatureEntry : signatureArray) {
                 this.signatureEntries.add(getSignatureObject(signatureEntry));
@@ -77,7 +84,8 @@ public class JwsJsonConsumer {
             this.signatureEntries.add(getSignatureObject(jsonObjectMap));
         }
         if (signatureEntries.isEmpty()) {
-            throw new SecurityException("Invalid JWS JSON sequence: no signatures are available");
+            LOG.warning("JSON JWS has no signatures");
+            throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
         }
     }
     protected JwsJsonSignatureEntry getSignatureObject(Map<String, Object> signatureEntry) {
@@ -128,37 +136,29 @@ public class JwsJsonConsumer {
     }
     public boolean verifySignatureWith(List<JwsSignatureVerifier> validators) {
         try {
-            verifyAndGetNonValidated(validators);
-            return true;
-        } catch (SecurityException ex) {
-            return false;
+            if (verifyAndGetNonValidated(validators).isEmpty()) {
+                return true;
+            }
+        } catch (JwsException ex) {
+            // ignore
         }
+        LOG.warning("One of JSON JWS signatures is invalid");
+        return false;
     }
     public List<JwsJsonSignatureEntry> verifyAndGetNonValidated(List<JwsSignatureVerifier> validators) {
-        if (validators.size() > signatureEntries.size()) {
-            throw new SecurityException("Too many signature validators");
-        }
         // TODO: more effective approach is needed
         List<JwsJsonSignatureEntry> validatedSignatures = new LinkedList<JwsJsonSignatureEntry>();
         for (JwsSignatureVerifier validator : validators) {
-            boolean validated = false;
             List<JwsJsonSignatureEntry> theSignatureEntries = 
                 getSignatureEntryMap().get(validator.getAlgorithm().getJwaName());
             if (theSignatureEntries != null) {
                 for (JwsJsonSignatureEntry sigEntry : theSignatureEntries) {
                     if (sigEntry.verifySignatureWith(validator)) {     
                         validatedSignatures.add(sigEntry);
-                        validated = true;
                         break;
                     }
                 }
             }
-            if (!validated) {
-                throw new SecurityException();
-            }
-        }
-        if (validatedSignatures.isEmpty()) {
-            throw new SecurityException();
         }
         List<JwsJsonSignatureEntry> nonValidatedSignatures = new LinkedList<JwsJsonSignatureEntry>();
         for (JwsJsonSignatureEntry sigEntry : signatureEntries) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonOutputStream.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonOutputStream.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonOutputStream.java
index 85f0356..7fe6059 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonOutputStream.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonOutputStream.java
@@ -59,11 +59,7 @@ public class JwsJsonOutputStream extends FilterOutputStream {
         executor.execute(new Runnable() {
             public void run() {
                 for (JwsSignature signature : signatures) {
-                    try {
-                        signature.update(b, off, len);
-                    } catch (Throwable ex) {
-                        throw new SecurityException();
-                    }
+                    signature.update(b, off, len);
                 }
             }
         });
@@ -76,29 +72,29 @@ public class JwsJsonOutputStream extends FilterOutputStream {
             return;
         }
         out.write(StringUtils.toBytesUTF8("\",\"signatures\":["));
-        try {
-            shutdownExecutor();
-            for (int i = 0; i < signatures.size(); i++) {
-                if (i > 0) {
-                    out.write(new byte[]{','});
-                }
-                out.write(StringUtils.toBytesUTF8("{\"protected\":\"" 
-                                                 + protectedHeaders.get(i) 
-                                                 + "\",\"signature\":\""));
-                byte[] sign = signatures.get(i).sign();
-                Base64UrlUtility.encodeAndStream(sign, 0, sign.length, out);
-                out.write(StringUtils.toBytesUTF8("\"}"));
+        shutdownExecutor();
+        for (int i = 0; i < signatures.size(); i++) {
+            if (i > 0) {
+                out.write(new byte[]{','});
             }
-        } catch (Exception ex) {
-            throw new SecurityException();
+            out.write(StringUtils.toBytesUTF8("{\"protected\":\"" 
+                                             + protectedHeaders.get(i) 
+                                             + "\",\"signature\":\""));
+            byte[] sign = signatures.get(i).sign();
+            Base64UrlUtility.encodeAndStream(sign, 0, sign.length, out);
+            out.write(StringUtils.toBytesUTF8("\"}"));
         }
         out.write(StringUtils.toBytesUTF8("]}"));
         flushed = true;
     }
-    private void shutdownExecutor() throws Exception {
+    private void shutdownExecutor() {
         executor.shutdown();
         while (!executor.isTerminated()) {
-            executor.awaitTermination(1, TimeUnit.MILLISECONDS);
+            try {
+                executor.awaitTermination(1, TimeUnit.MILLISECONDS);
+            } catch (InterruptedException ex) {
+                throw new RuntimeException(ex);
+            }
         }
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java
index 5620232..46ce4ea 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java
@@ -22,9 +22,11 @@ import java.security.interfaces.RSAPrivateKey;
 import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.logging.Logger;
 
 import javax.ws.rs.core.MultivaluedMap;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.Base64UrlUtility;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.rs.security.jose.JoseConstants;
@@ -32,6 +34,7 @@ import org.apache.cxf.rs.security.jose.JoseHeaders;
 import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 public class JwsJsonProducer {
+    protected static final Logger LOG = LogUtils.getL7dLogger(JwsJsonProducer.class);
     private boolean supportFlattened;
     private String plainPayload;
     private String encodedPayload;
@@ -57,7 +60,8 @@ public class JwsJsonProducer {
     }
     public String getJwsJsonSignedDocument(boolean detached) {
         if (signatures.isEmpty()) { 
-            throw new SecurityException("Signature is not available");
+            LOG.warning("Signature is not available");
+            throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
         }
         StringBuilder sb = new StringBuilder();
         sb.append("{");
@@ -124,12 +128,14 @@ public class JwsJsonProducer {
             checkCriticalHeaders(unprotectedHeader);
             if (!Collections.disjoint(unionHeaders.asMap().keySet(), 
                                      unprotectedHeader.asMap().keySet())) {
-                throw new SecurityException("Protected and unprotected headers have duplicate values");
+                LOG.warning("Protected and unprotected headers have duplicate values");
+                throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
             }
             unionHeaders.asMap().putAll(unprotectedHeader.asMap());
         }
         if (unionHeaders.getAlgorithm() == null) {
-            throw new SecurityException("Algorithm header is not set");
+            LOG.warning("Algorithm header is not set");
+            throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
         }
         String sequenceToBeSigned;
         if (protectedHeader != null) {
@@ -163,7 +169,8 @@ public class JwsJsonProducer {
     }
     private static void checkCriticalHeaders(JoseHeaders unprotected) {
         if (unprotected.asMap().containsKey(JoseConstants.HEADER_CRITICAL)) {
-            throw new SecurityException();
+            LOG.warning("Unprotected headers contain critical headers");
+            throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
         }
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonSignatureEntry.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonSignatureEntry.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonSignatureEntry.java
index 5b249ad..9ef258e 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonSignatureEntry.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonSignatureEntry.java
@@ -19,7 +19,9 @@
 package org.apache.cxf.rs.security.jose.jws;
 
 import java.util.Collections;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.Base64UrlUtility;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.rs.security.jose.JoseConstants;
@@ -30,6 +32,7 @@ import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 
 
 public class JwsJsonSignatureEntry {
+    protected static final Logger LOG = LogUtils.getL7dLogger(JwsJsonSignatureEntry.class);
     private String encodedJwsPayload;
     private String encodedProtectedHeader;
     private String encodedSignature;
@@ -43,7 +46,8 @@ public class JwsJsonSignatureEntry {
                                  String encodedSignature,
                                  JoseHeaders unprotectedHeader) {
         if (encodedProtectedHeader == null && unprotectedHeader == null || encodedSignature == null) {
-            throw new SecurityException("Invalid security entry");
+            LOG.warning("Invalid Signature entry");
+            throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
         }
         
         this.encodedJwsPayload = encodedJwsPayload;
@@ -64,7 +68,8 @@ public class JwsJsonSignatureEntry {
         if (unprotectedHeader != null) {
             if (!Collections.disjoint(unionHeaders.asMap().keySet(), 
                                      unprotectedHeader.asMap().keySet())) {
-                throw new SecurityException("Protected and unprotected headers have duplicate values");
+                LOG.warning("Protected and unprotected headers have duplicate values");
+                throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
             }
             unionHeaders.asMap().putAll(unprotectedHeader.asMap());
         }
@@ -108,12 +113,15 @@ public class JwsJsonSignatureEntry {
     }
     public boolean verifySignatureWith(JwsSignatureVerifier validator) {
         try {
-            return validator.verify(getUnionHeader(),
-                                    getUnsignedEncodedSequence(),
-                                    getDecodedSignature());
-        } catch (SecurityException ex) {
+            if (validator.verify(getUnionHeader(),
+                                 getUnsignedEncodedSequence(),
+                                 getDecodedSignature())) {
+                return true;
+            }
+        } catch (JwsException ex) {
             // ignore
         }
+        LOG.warning("Invalid Signature Entry");
         return false;
     }
     public boolean verifySignatureWith(JsonWebKey key) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsOutputStream.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsOutputStream.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsOutputStream.java
index b9d572a..53b592f 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsOutputStream.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsOutputStream.java
@@ -41,11 +41,7 @@ public class JwsOutputStream extends FilterOutputStream {
     
     @Override
     public void write(byte b[], int off, int len) throws IOException {
-        try {
-            signature.update(b, off, len);
-        } catch (Throwable ex) {
-            throw new SecurityException();
-        }
+        signature.update(b, off, len);
         out.write(b, off, len);
         out.flush();
     }
@@ -54,13 +50,9 @@ public class JwsOutputStream extends FilterOutputStream {
         if (flushed) {
             return;
         }
-        try {
-            byte[] finalBytes = signature.sign();
-            out.write(new byte[]{'.'});
-            Base64UrlUtility.encodeAndStream(finalBytes, 0, finalBytes.length, out);
-        } catch (Exception ex) {
-            throw new SecurityException();
-        }
+        byte[] finalBytes = signature.sign();
+        out.write(new byte[]{'.'});
+        Base64UrlUtility.encodeAndStream(finalBytes, 0, finalBytes.length, out);
         flushed = true;
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index f66087f..d4b759a 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -25,9 +25,11 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Properties;
+import java.util.logging.Logger;
 
 import javax.ws.rs.core.MultivaluedMap;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.jaxrs.impl.MetadataMap;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.jaxrs.utils.ResourceUtils;
@@ -43,6 +45,7 @@ import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
 
 public final class JwsUtils {
+    private static final Logger LOG = LogUtils.getL7dLogger(JwsUtils.class);
     private static final String JSON_WEB_SIGNATURE_ALGO_PROP = "rs.security.jws.content.signature.algorithm";
     private static final String RSSEC_SIGNATURE_OUT_PROPS = "rs.security.signature.out.properties";
     private static final String RSSEC_SIGNATURE_IN_PROPS = "rs.security.signature.in.properties";
@@ -168,7 +171,7 @@ public final class JwsUtils {
         return loadSignatureVerifier(m, props, headers, false);
     }
     public static List<JwsSignatureProvider> loadSignatureProviders(String propLoc, Message m) {
-        Properties props = loadProperties(m, propLoc);
+        Properties props = loadJwsProperties(m, propLoc);
         JwsSignatureProvider theSigProvider = loadSignatureProvider(m, props, null, true);
         if (theSigProvider != null) {
             return Collections.singletonList(theSigProvider);
@@ -184,13 +187,14 @@ public final class JwsUtils {
             }
         }
         if (theSigProviders == null) {
-            throw new SecurityException();
+            LOG.warning("Providers are not available");
+            throw new JwsException(JwsException.Error.NO_PROVIDER);
         }
         return theSigProviders;
     }
     
     public static List<JwsSignatureVerifier> loadSignatureVerifiers(String propLoc, Message m) {
-        Properties props = loadProperties(m, propLoc);
+        Properties props = loadJwsProperties(m, propLoc);
         JwsSignatureVerifier theVerifier = loadSignatureVerifier(m, props, null, true);
         if (theVerifier != null) {
             return Collections.singletonList(theVerifier);
@@ -206,7 +210,8 @@ public final class JwsUtils {
             }
         }
         if (theVerifiers == null) {
-            throw new SecurityException();
+            LOG.warning("Verifiers are not available");
+            throw new JwsException(JwsException.Error.NO_VERIFIER);
         }
         return theVerifiers;
     }
@@ -243,7 +248,8 @@ public final class JwsUtils {
             }
         }
         if (theSigProvider == null && !ignoreNullProvider) {
-            throw new SecurityException();
+            LOG.warning("Provider is not available");
+            throw new JwsException(JwsException.Error.NO_PROVIDER);
         }
         return theSigProvider;
     }
@@ -279,15 +285,17 @@ public final class JwsUtils {
                               (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props), rsaSignatureAlgo);
         }
         if (theVerifier == null && !ignoreNullVerifier) {
-            throw new SecurityException();
+            LOG.warning("Verifier is not available");
+            throw new JwsException(JwsException.Error.NO_VERIFIER);
         }
         return theVerifier;
     }
-    private static Properties loadProperties(Message m, String propLoc) {
+    private static Properties loadJwsProperties(Message m, String propLoc) {
         try {
             return ResourceUtils.loadProperties(propLoc, m.getExchange().getBus());
         } catch (Exception ex) {
-            throw new SecurityException(ex);
+            LOG.warning("JWS init properties are not available");
+            throw new JwsException(JwsException.Error.NO_INIT_PROPERTIES);
         }
     }
     private static String getSignatureAlgo(Message m, Properties props, String algo, String defaultAlgo) {
@@ -311,7 +319,7 @@ public final class JwsUtils {
     public static JwsCompactConsumer verify(JwsSignatureVerifier v, String content) {
         JwsCompactConsumer jws = new JwsCompactConsumer(content);
         if (!jws.verifySignatureWith(v)) {
-            throw new SecurityException();
+            throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
         }
         return jws;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java
index 292ecf6..cb7b5ab 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java
@@ -57,15 +57,8 @@ public class PrivateKeyJwsSignatureProvider extends AbstractJwsSignatureProvider
     protected JwsSignature doCreateJwsSignature(Signature s) {
         return new PrivateKeyJwsSignature(s);
     }
-    @Override
-    protected void checkAlgorithm(String algo) {
-        super.checkAlgorithm(algo);
-        if (!isValidAlgorithmFamily(algo)) {
-            throw new SecurityException();
-        }
-        //TODO: validate "A key of size 2048 bits or larger MUST be used" for PS-SHA algorithms 
-    }
     
+    @Override
     protected boolean isValidAlgorithmFamily(String algo) {
         return AlgorithmUtils.isRsaSign(algo);
     }
@@ -80,7 +73,7 @@ public class PrivateKeyJwsSignatureProvider extends AbstractJwsSignatureProvider
             try {
                 s.update(src, off, len);
             } catch (SignatureException ex) {
-                throw new SecurityException();
+                throw new JwsException(JwsException.Error.SIGNATURE_FAILURE, ex);
             }
         }
 
@@ -89,9 +82,10 @@ public class PrivateKeyJwsSignatureProvider extends AbstractJwsSignatureProvider
             try {
                 return s.sign();
             } catch (SignatureException ex) {
-                throw new SecurityException();
+                throw new JwsException(JwsException.Error.SIGNATURE_FAILURE, ex);
             }
         }
         
     }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
index 7e8fd80..fb163ad 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
@@ -20,7 +20,9 @@ package org.apache.cxf.rs.security.jose.jws;
 
 import java.security.PublicKey;
 import java.security.spec.AlgorithmParameterSpec;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.rs.security.jose.JoseHeaders;
@@ -28,6 +30,7 @@ import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
 
 public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier {
+    protected static final Logger LOG = LogUtils.getL7dLogger(PublicKeyJwsSignatureVerifier.class);
     private PublicKey key;
     private AlgorithmParameterSpec signatureSpec;
     private SignatureAlgorithm supportedAlgo;
@@ -49,14 +52,19 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier {
                                                AlgorithmUtils.toJavaName(checkAlgorithm(headers.getAlgorithm())),
                                                signatureSpec);
         } catch (Exception ex) {
-            throw new SecurityException(ex);
+            LOG.warning("Invalid signature");
+            throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
         }
     }
     protected String checkAlgorithm(String algo) {
-        if (algo == null 
-            || !isValidAlgorithmFamily(algo)
+        if (algo == null) {
+            LOG.warning("Signature algorithm is not set");
+            throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
+        }
+        if (!isValidAlgorithmFamily(algo)
             || !algo.equals(supportedAlgo.getJwaName())) {
-            throw new SecurityException();
+            LOG.warning("Invalid signature algorithm: " + algo);
+            throw new JwsException(JwsException.Error.INVALID_ALGORITHM);
         }
         return algo;
     }


Mime
View raw message