[
https://issues.apache.org/jira/browse/WSS-195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12713945#action_12713945
]
Colm O hEigeartaigh commented on WSS-195:
-----------------------------------------
Hi Aleksander,
Thanks for your patch. IMO adding such information to an exception is a
security hole, as you're potentially leaking sensitive information about the
keystore contents. How about we just log the information and throw the original
generic exception message?
Colm.
> More detailed exception thrown from CryptoBase.getPrivateKey()
> --------------------------------------------------------------
>
> Key: WSS-195
> URL: https://issues.apache.org/jira/browse/WSS-195
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Aleksander Adamowski
> Assignee: Ruchith Udayanga Fernando
> Attachments: wss4j-CryptoBase_better_exception.patch
>
>
> Having a problem with getting a key from one of keystores used by a web
> service client, I've patched and build my own version of WSS4J that adds
> keystore-identifying information to the exception thrown from
> CryptoBase.getPrivateKey() instead of only the looked up alias.
> This way, I were able to identify the particular keystore the application was
> looking for key in.
> I'm attaching my patch.
> Note that similar improvements should probably be made to other methods in
> CryptoBase.
> The exceptions currently thrown by CryptoBase only specify the alias which
> was looked up in a keystore. They may not be not sufficient in a complex set
> up with multiple keystores because they give no hint whatsover about what
> kind of keystore with what contents was the search performed in.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
