[
https://issues.apache.org/jira/browse/WSS-195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12713953#action_12713953
]
Aleksander Adamowski commented on WSS-195:
------------------------------------------
Sounds reasonable.
IMHO, the whole idea that server's exceptions or their fragments are sent back
to the client in a SOAP fault message is a security hole, but it's really hard
to filter them all out depending on what layer they originate from on the
server.
For example, in Spring-WS I'm using:
<bean id="exceptionResolver"
class="pl.firstdata.keygun.server.webservice.logging.LoggingSoapFaultMappingExceptionResolver">
<property name="defaultFault" value="SERVER,Error processing request.
Contact the service administrator and report the exact date and time of
failure." />
</bean>
This substitutes a generic error message when the application logic layer
throws an exception. However, WSS4J-originated exceptions are still sent out in
their full glory. I don't know how to filter these.
So it's a good idea to send the details to the logger only.
> More detailed exception thrown from CryptoBase.getPrivateKey()
> --------------------------------------------------------------
>
> Key: WSS-195
> URL: https://issues.apache.org/jira/browse/WSS-195
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Aleksander Adamowski
> Assignee: Ruchith Udayanga Fernando
> Attachments: wss4j-CryptoBase_better_exception.patch
>
>
> Having a problem with getting a key from one of keystores used by a web
> service client, I've patched and build my own version of WSS4J that adds
> keystore-identifying information to the exception thrown from
> CryptoBase.getPrivateKey() instead of only the looked up alias.
> This way, I were able to identify the particular keystore the application was
> looking for key in.
> I'm attaching my patch.
> Note that similar improvements should probably be made to other methods in
> CryptoBase.
> The exceptions currently thrown by CryptoBase only specify the alias which
> was looked up in a keystore. They may not be not sufficient in a complex set
> up with multiple keystores because they give no hint whatsover about what
> kind of keystore with what contents was the search performed in.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
