ws-fx-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dittmann, Werner" <werner.dittm...@siemens.com>
Subject AW: PasswordCallback exception messages
Date Wed, 27 Jul 2005 06:03:20 GMT
Steve,

well, at the level of the WSSecurityEngine we could add
the original exeption that causes the WSSecurityException.

On the other hand, if you supply too much information
why a specific security check failed you may give a malicious
person who tries to attack your system additional info how to
proceed with the attack. Thus we decided to just say:
"no password for xyz". This does not give info if there is a
user "xyz" that has no password, or if there is a user "xyz" at 
all.

Regards,
Werner

> -----Urspr√ľngliche Nachricht-----
> Von: Steve Brunton [mailto:brunton@dweeb.turner.com] 
> Gesendet: Dienstag, 26. Juli 2005 20:59
> An: fx-dev@ws.apache.org
> Betreff: PasswordCallback exception messages
> 
> 
> Had a co-worker writing some testing code against a SOAP 
> service that I
> wrote that is protected with the WS-Security using a Timestamp and
> UsernameToken in the Security Header. As he was trying to debug his
> application he kept on telling me that he was getting an error of :
> 
> WSSecurityEngine: Callback supplied no password for: me@me.com
> 
> even though he knew that a password was being supplied in the request
> and when we watched through the TCP Monitor sure enough it was there.
> 
> In backtracking through it looks like that in the 
> WSSecurityEngine it is
> catching the UnsupportedCallbackException that I throw in my
> PasswordCallbackHandler and not using the error message that I supply.
> If there is no user in the LDAP call I throw an
> UnsupportedCallbackException with a "noSuchUser" message. In 
> the Engine
> on line 887 it catches that and then defaults to a 
> "noPassword" message
> when it throws the WSSecurityException. Is this the planned 
> operation or
> should it allow different error responses to flow back up the 
> Exception
> chain?
> 
> -- 
> Steve Brunton   <brunton@dweeb.turner.com>  Phone: 404-885-2436
> Chief Engineer                               AOL IM : schitzo42
> CNN Internet Technologies         ICBM: 84W 23' 45" 33N 45' 29"
> <*> Borrow money from pessimists-they don't expect it back. <*>
> 
> 

Mime
View raw message