Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-549

integrate AbstractWsSecurityInterceptor with EndpointExceptionResolver

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.7
    • Fix Version/s: 1.5.8
    • Component/s: Security
    • Labels:
      None

      Description

      AbstractWsSecurityInterceptor is not currently integrated with Spring Web Services' EndpointExceptionResolver.

      If an exception occurs during validation, AbstractWsSecurityInterceptor's own handleValidationException generates a SoapFault on it's own and populates the message with the input parameter ex's getMessage result.

      A common cause of this behavior would be integration with a ClientUserDetailsService; in this example the loadUserByUsername method throws a UsernameNotFoundException.

      This UsernameNotFoundException gets wrapped by a org.apache.ws.security.WSSecurityException (twice over), which in turn gets caught and turned into a org.springframework.ws.soap.security.wss4j.Wss4jSecurityValidationException, which is caught and passed into the handleValidationException method.

      It would be useful to let the developer customize the SoapFault when these validation exceptions occur.
      The obvious approach (to me at least ) is to delegate to an EndpointExceptionResolver, particularly since this resolver is already likely being used within the Spring Web Services application.

      I have a proposed patch that adds an EndpointExceptionResolver as a private field (with a public setter) and a re-factored handleValidationException method that allows the endpointExceptionResolver to step in if present.

      This allows the developer to add their own custom message to the soap fault instead of (the current faultstring when these validation exceptions occur):

      The security token could not be authenticated or authorized; nested exception is:
      org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized; nested exception is org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized; nested exception is:
      org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized

        Activity

        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open In Progress In Progress
        6d 14h 7m 1 Arjen Poutsma 16/Aug/09 7:28 PM
        In Progress In Progress Resolved Resolved
        3m 27s 1 Arjen Poutsma 16/Aug/09 7:31 PM
        Resolved Resolved Closed Closed
        991d 11h 31m 1 Arjen Poutsma 04/May/12 7:03 AM

          People

          • Assignee:
            arjen.poutsma Arjen Poutsma
            Reporter:
            nblair Nicholas Blair
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0d
              0d
              Logged:
              Time Spent - 0.05h
              0.05h