Hi all I do some basic authorization checks within my JAX-WS implementation code and was wondering how to return a standard SOAP fault according to the WS-Security spec here: Web Services Security: SOAP Message Security Version 1.1.1 (oasis-open.org)<http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SOAPMessageSecurity-v1.1.1-os.html#_Toc307407975>
If there is an authorization error, I should return the fault code wsse:FailedAuthentication. I followed the same approach as within the AbstractAuthorizingInInterceptor which simply throws an AccessDeniedException: cxf/AbstractAuthorizingInInterceptor.java at master · apache/cxf · GitHub<https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java> which results in the following soap fault which looks like any other default soap fault: <soap:Body> <soap:Fault> <soap:Code> <soap:Value>soap:Receiver</soap:Value> </soap:Code> <soap:Reason> <soap:Text xml:lang="en">Unauthorized</soap:Text> </soap:Reason> </soap:Fault> </soap:Body> I’ve found the QName definition in WSSecurityException but I can’t easily throw a WSSecurityException because it’s not a RuntimeException. So, the only approach which worked is this: throw new SoapFault("Unauthorized", new QName(http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd, "FailedAuthentication")); Then I get this soap fault back: <soap:Body> <soap:Fault> <soap:Code> <soap:Value>soap:Receiver</soap:Value> <soap:Subcode> <soap:Value xmlns:ns1=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>ns1:FailedAuthentication</soap:Value> </soap:Subcode> </soap:Code> <soap:Reason> <soap:Text xml:lang="en">Unauthorized</soap:Text> </soap:Reason> </soap:Fault> </soap:Body> Is there a reason why an AccessDeniedException doesn’t return a standard WS-Security SOAP Fault? Thanks for your feedback. Cheers Oli Gesendet von Mail<https://go.microsoft.com/fwlink/?LinkId=550986> für Windows
