[
https://issues.apache.org/activemq/browse/SMXCOMP-703?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joe Luo updated SMXCOMP-703:
----------------------------
Description:
The ServiceMix CXF-BC component JbiJAASInterceptor calls authenticate()
function on JAASAuthenticationService to authenticate user:
{code}
for (Iterator it = hr.getResults().iterator(); it.hasNext();) {
WSSecurityEngineResult er = (WSSecurityEngineResult) it.next();
if (er != null && er.getPrincipal() instanceof WSUsernameTokenPrincipal) {
WSUsernameTokenPrincipal p =
(WSUsernameTokenPrincipal)er.getPrincipal();
subject.getPrincipals().add(p);
this.authenticationService.authenticate(subject, domain, p.getName(),
p.getPassword());
authenticated = true;
}
}
{code}
The function "authenticate(...)" might throw a FailedLoginException if a wrong
password is supplied. Because the CXF-BC uses an invocation handler to invoke
the method on a proxy instance, an UndeclaredThrowableException will be thrown
and wraped with the FailedLoginException. Currently we do not catch the
UndeclaredThrowableException and it caused the message of real exception to be
lost. Instead, a very generic message such as
{code:xml}
<soap:Fault><faultcode>soap:Server</faultcode><faultstring>Fault occurred while
processing.</faultstring></soap:Fault>
{code}
is always sent back. It is definitely is not intuitive for the client side to
find out what could be wrong.
By catching the UndeclaredThrowableException and retrieving the wrapped
exception, we would get Soap Fault like:
{code:xml}
<soap:Fault><faultcode>soap:Server</faultcode><faultstring>Password does not
match</faultstring></soap:Fault>
{code}
was:
The ServiceMix CXF-BC component JbiJAASInterceptor calls authenticate()
function on JAASAuthenticationService to authenticate user:
{code}
for (Iterator it = hr.getResults().iterator(); it.hasNext();) {
WSSecurityEngineResult er = (WSSecurityEngineResult) it.next();
if (er != null && er.getPrincipal() instanceof WSUsernameTokenPrincipal) {
WSUsernameTokenPrincipal p =
(WSUsernameTokenPrincipal)er.getPrincipal();
subject.getPrincipals().add(p);
this.authenticationService.authenticate(subject, domain, p.getName(),
p.getPassword());
authenticated = true;
}
}
{code}
The function "authenticate(...)" might throw a FailedLoginException if a wrong
password is supplied. Because the CXF-BC uses an invocation handler to invoke
the method on a proxy instance, an UndeclaredThrowableException will be thrown
instead and wraped with the FailedLoginException. Currently we do not catch the
UndeclaredThrowableException and it caused the message of real exception to be
lost. Instead, a very generic message like "Fault occurred while processing."
is always thrown. It is definitely is not intuitive for the client side to find
out what is wrong on server side.
> Servicemix CXF-BC component JbiJAASInterceptor should catch
> UndeclaredThrowableException
> ----------------------------------------------------------------------------------------
>
> Key: SMXCOMP-703
> URL: https://issues.apache.org/activemq/browse/SMXCOMP-703
> Project: ServiceMix Components
> Issue Type: Improvement
> Components: servicemix-cxf-bc
> Affects Versions: servicemix-cxf-bc-2009.02
> Reporter: Joe Luo
> Attachments: smx-cxf-bc-patch.patch
>
>
> The ServiceMix CXF-BC component JbiJAASInterceptor calls authenticate()
> function on JAASAuthenticationService to authenticate user:
> {code}
> for (Iterator it = hr.getResults().iterator(); it.hasNext();) {
> WSSecurityEngineResult er = (WSSecurityEngineResult) it.next();
> if (er != null && er.getPrincipal() instanceof WSUsernameTokenPrincipal) {
> WSUsernameTokenPrincipal p =
> (WSUsernameTokenPrincipal)er.getPrincipal();
> subject.getPrincipals().add(p);
> this.authenticationService.authenticate(subject, domain, p.getName(),
> p.getPassword());
> authenticated = true;
> }
> }
> {code}
> The function "authenticate(...)" might throw a FailedLoginException if a
> wrong password is supplied. Because the CXF-BC uses an invocation handler to
> invoke the method on a proxy instance, an UndeclaredThrowableException will
> be thrown and wraped with the FailedLoginException. Currently we do not catch
> the UndeclaredThrowableException and it caused the message of real exception
> to be lost. Instead, a very generic message such as
> {code:xml}
> <soap:Fault><faultcode>soap:Server</faultcode><faultstring>Fault occurred
> while processing.</faultstring></soap:Fault>
> {code}
> is always sent back. It is definitely is not intuitive for the client side to
> find out what could be wrong.
> By catching the UndeclaredThrowableException and retrieving the wrapped
> exception, we would get Soap Fault like:
> {code:xml}
> <soap:Fault><faultcode>soap:Server</faultcode><faultstring>Password does not
> match</faultstring></soap:Fault>
> {code}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
