integrate AbstractWsSecurityInterceptor with EndpointExceptionResolver [SWS-549]

[gregturn]

Nicholas Blair opened SWS-549 and commented

AbstractWsSecurityInterceptor is not currently integrated with Spring Web Services' EndpointExceptionResolver.

If an exception occurs during validation, AbstractWsSecurityInterceptor's own handleValidationException generates a SoapFault on it's own and populates the message with the input parameter ex's getMessage result.

A common cause of this behavior would be integration with a ClientUserDetailsService; in this example the loadUserByUsername method throws a UsernameNotFoundException.

This UsernameNotFoundException gets wrapped by a org.apache.ws.security.WSSecurityException (twice over), which in turn gets caught and turned into a org.springframework.ws.soap.security.wss4j.Wss4jSecurityValidationException, which is caught and passed into the handleValidationException method.

It would be useful to let the developer customize the SoapFault when these validation exceptions occur.
The obvious approach (to me at least :D) is to delegate to an EndpointExceptionResolver, particularly since this resolver is already likely being used within the Spring Web Services application.

I have a proposed patch that adds an EndpointExceptionResolver as a private field (with a public setter) and a re-factored handleValidationException method that allows the endpointExceptionResolver to step in if present.

This allows the developer to add their own custom message to the soap fault instead of (the current faultstring when these validation exceptions occur):

The security token could not be authenticated or authorized; nested exception is:
org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized; nested exception is org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized; nested exception is:
org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized

---

Affects: 1.5.7

Attachments:

• interceptor-exceptionResolver.patch.txt (2.17 kB)

[gregturn]

Nicholas Blair commented

Attached proposed patch to integrate EndpointExceptionResolver with AbstractWsSecurityInterceptor.

[gregturn]

Nicholas Blair commented

I should mention the patch is based off revision 1433 (trunk retrieved today - Mon Aug 10).

[gregturn]

Arjen Poutsma commented

Done. Thanks for the patch!

[gregturn]

Paul Nyheim commented

Instead of introducing the EndpointExceptionResolver in this Interceptor, would it not be better to just let the exception flow up to the MessageDispatcher, where the resolvers already are configured (with sensible defaults)

And as this is not documented anywhere unlike the exception resolving in the MessageDispatcher (http://static.springsource.org/spring-ws/sites/1.5/reference/html/server.html#server-endpoint-exception-resolver), it is too easy to miss out on or forget this extra configuration step.

In my opinion this could be done for both the client and endpoint handleRequest/handleResponse methods by just removing the catch clauses.
I would be happy to contribute a patch for this if needed.

Regards,
Paul Nyheim

[gregturn]

Arjen Poutsma commented

Closing old issues