Two things: 1) Add the wss4joutinterceptor to the outfault chain as well to get the faults signed.
2) I just committed a change to the WSS4JInInterceptor to allow the on the wire fault to propogate if the security checks fail. Thus, the client would get the real fault message and not the security one. Dan On Thursday 04 September 2008 3:23:39 pm Wu, Billy wrote: > Hi, > > > > We are developing a web service using CXF 2.1.1, and we are > encrypting/signing all the inbound/outbound messages using WSS4J. > Everything works fine until when there is an exception. When an > exception is thrown from a web service, it bypasses all the > encryption/signing, and return a soap fault back to the client in clear > text. Here is an example, > > > > <soap:Envelope > xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><soap: > Fault><faultcode>soap:Server</faultcode><faultstring>VALD001E Missing > required field [name]. VALD001E Missing required field [name]. > </faultstring><detail><ns1:ValidationException > xmlns:ns1="http://service.ws.sspgui.sterlingcommerce.com/"; > /></detail></soap:Fault></soap:Body></soap:Envelope> > > > > However, since the client is expecting the message to be encrypted and > signed, the client will get the following without the original soap > fault message, > > > > Caused by: org.apache.ws.security.WSSecurityException: An error was > discovered processing the <wsse:Security> header > > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JI > nInterceptor.java:168) > > > > What we really want to do is for the client to catch the exception, so > it can be handled appropriately. Does anyone know a good solution to > this issue? > > > > Thanks, > > > > Billy -- Daniel Kulp [EMAIL PROTECTED] http://www.dankulp.com/blog
