My application is using Spring Security to validate incoming Endpoint calls. I am trying to give the client specific error codes when anything goes wrong within the XwsSecurityInterceptor but I haven't yet found a way to do this.
This is what I have tried: I am using an EndpointInterceptor that inherits from XwsSecurityInterceptor:
<bean name="myInterceptor" id="myInterceptor" class="x.y.MyPreAuthenticationSecurityInterceptor">
<property name="policyConfiguration" value="classpath:/security.xml" />
<property name="callbackHandlers">
<list>
<bean id="myCallbackHandler" class="x.y.MyCallbackHandler" />
</list>
</property>
</bean>
The interceptor has a CallbackHandler 'myCallbackHandler' that handles PasswordValidationCallbacks. For testing purposes for each callback it attaches a validator that will instantly throw a certain exception (CustomException) with a certain error code:
#Override
protected void handleInternal(Callback callback) throws IOException, UnsupportedCallbackException {
if (callback instanceof PasswordValidationCallback) {
PasswordValidationCallback validationCallback = (PasswordValidationCallback) callback;
if (validationCallback.getRequest() instanceof PasswordValidationCallback.PlainTextPasswordRequest) {
validationCallback.setValidator(new MyValidator());
return;
}
} else if (callback instanceof CleanupCallback) {
SecurityContextHolder.clearContext();
return;
}
throw new UnsupportedCallbackException(callback);
}
private class MyValidator implements PasswordValidationCallback.PasswordValidator {
public boolean validate(PasswordValidationCallback.Request request) throws PasswordValidationCallback.PasswordValidationException
{
throw new PasswordValidationCallback.PasswordValidationException("test", new CustomException("some error code"));
}
}
As specified in https://docs.spring.io/spring-ws/site/reference/html/security.html, section 7.2.5 the exception handling is done in the handleValidationException method.
In 'MyPreAuthenticationSecurityInterceptor' I am overriding the handleValidationException method:
#Override
public boolean handleValidationException(WsSecurityValidationException ex, MessageContext messageContext) {
if (logger.isWarnEnabled()) {
logger.warn("Could not validate request: " + ex.getMessage());
}
return false;
}
Problem is that when debugging I can't find my CustomException in WsSecurityValidationException. The root cause of is 'com.sun.xml.wss.XWSSecurityException: Invalid Username Password Pair'.
Am I going about this the wrong way?
Related
I have soap andpoint which should return response type A based on request type B. But during processing of request, i'm expecting errors (like unable to call downastream service) which throw cutom exception for example type ExpEx. And now i wat to do custom error mapping, because in case of errors I don't want to return type A but want to return type CFault (which is defined in wsd also).
Now question:
- is is possible to create custom eero handle which rturn CFault instead A
- or is it possible to make enpoint allow to return two types of response A and CFault (I think Object) ?
my enpoint:
public class FantasticEndpoint extend WebServiceEndpoint {
private static final String NAMESPACE = "http://www.fantastic.com/SOA/tmp/FantasticService/v_2_4";
#PayloadRoot(namespace = NAMESPACE, localPart = "handleBOperation")
#ResponsePayload
public A createConsumers(#RequestPayload B b{
//do some dangerous logic possility throw EXCEPTION
// if EXCEPTION return CFault or return A if normal processing
}
}
First of all, take a look on that: https://docs.spring.io/spring-ws/sites/2.0/reference/html/server.html#server-endpoint-exception-resolver
I am going to highlight some of that:
According to documentation, you can create your own exception class to indicate the SOAP Fault that should be returned whenever that exception is thrown. Just annotate class with #SoapFault annotation.
import org.springframework.ws.soap.server.endpoint.annotation.FaultCode;
import org.springframework.ws.soap.server.endpoint.annotation.SoapFault;
#SoapFault(faultCode = FaultCode.SERVER)
public class MyCustomException extends Exception {
public MyClientException(String message) {
super(message);
}
}
If this doesn't suit you, you can mess with SoapFaultAnnotationExceptionResolver (https://docs.spring.io/spring-ws/site/apidocs/org/springframework/ws/soap/server/endpoint/SoapFaultAnnotationExceptionResolver.html). This resolver lets you map exception classes to SOAP Fault:
<beans>
<bean id="exceptionResolver" class="org.springframework.ws.soap.server.endpoint.SoapFaultMappingExceptionResolver">
<property name="defaultFault" value="SERVER"/>
<property name="exceptionMappings">
<value>
org.springframework.oxm.ValidationFailureException=CLIENT,Invalid request
</value>
</property>
</bean>
You can use this to add SoapFaultDetail:
public class MySoapFaultDefinitionExceptionResolver extends SoapFaultMappingExceptionResolver {
private static final QName CODE = new QName("code");
private static final QName DESCRIPTION = new QName("description");
#Override
protected void customizeFault(Object endpoint, Exception ex, SoapFault fault) {
if (ex instanceof MyCustomException) {
SoapFaultDetail detail = fault.addFaultDetail();
detail.addFaultDetailElement(CODE).addText("SOMECODE");
detail.addFaultDetailElement(DESCRIPTION).addText(ex.getMessage());
}
}
I have once used EndpointInterceptor to mess with SOAPHeader. Perhaps you can use it to do the work with SOAPFault (https://docs.spring.io/spring-ws/site/apidocs/org/springframework/ws/server/EndpointInterceptor.html).
You can extract SOAPFault from MessageContext like this:
#Override
public boolean handleFault(MessageContext messageContext, Object o) throws Exception {
SaajSoapMessage soapResponse = (SaajSoapMessage) messageContext.getResponse();
SOAPMessage soapMessage = soapResponse.getSaajMessage();
SOAPBody body = soapMessage.getSOAPBody();
SOAPFault fault = body.getFault();
//do something with fault here
return true
}
You can read about SOAPFault interface here https://docs.spring.io/spring-ws/site/apidocs/org/springframework/ws/soap/SoapFault.html
Before the result is sent, we want to add common fields (timestamp, version etc) in JSON response. We don't want to do this in every Controller. Is there any elegant way to do this in spring mvc?
Another similar question is if the parameter validation is failed, how to return the same JSON response.
Yes there is. You can use Spring AOP. You can intercept every service you write and add parameters from one place. For example, using Spring Around Advice. Note you need to write yourself addParameters function that return JsonNode. Good luck!
public class DoAroundMethod implements MethodInterceptor {
private static final Logger LOG = LoggerFactory.getLogger(DoAroundMethod.class);
#Autowired
ObjectMapper mapper;
public Object invoke(MethodInvocation methodInvocation) throws Throwable {
LOG.debug("****SPRING AOP**** DoAroundMethod: Method name : "
+ methodInvocation.getMethod().getName());
LOG.debug("****SPRING AOP**** DoAroundMethod: Method name : "
+ methodInvocation.getMethod().getName());
LOG.debug("****SPRING AOP**** DoAroundMethod: Method arguments : "
+ Arrays.toString(methodInvocation.getArguments()));
// same with MethodBeforeAdvice
LOG.debug("****SPRING AOP**** DoAroundMethod: Before method executing!");
try {
// proceed to original method call
Object result = methodInvocation.proceed();
// same with AfterReturningAdvice
if(result!=null){
//LOG.debug("Return value "+result.toString());
try{
JsonNode jN = mapper.readTree(result.toString());
result=addParameters(jN);
}catch(JsonParseException e){
LOG.debug("****SPRING AOP**** DoAroundMethod: When JsonParse throws Exception!");
return result;
}
}
LOG.debug("****SPRING AOP**** DoAroundMethod: After method executing!");
return result;
} catch (IllegalArgumentException e) {
// same with ThrowsAdvice
LOG.debug("****SPRING AOP**** DoAroundMethod: When method throws Exception!");
throw e;
}
}
Then to assign this Advice to all services you have, assuming they all end in *Service.java
<bean class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
<property name="beanNames">
<list>
<value>*Service</value>
</list>
</property>
<property name="interceptorNames">
<list>
<value>regexAdvisor</value>
</list>
</property>
</bean>
Maybe a custom Jackson plugin, or a ResponseBodyAdvice? (see this blog post for more details).
I have written a web service client (using Java Spring and JAXB Marshaller) that works with a 3rd party web service. When I send a valid request everything works well. When I send an invalid request then the web service server responds with a SOAP Fault. The client application just fails with a UnmarshallingFailureException
org.springframework.oxm.UnmarshallingFailureException: JAXB unmarshalling
exception; nested exception is javax.xml.bind.UnmarshalException:
unexpected element (uri:"http://schemas.xmlsoap.org/soap/envelope/", local:"Fault").
Appears to me that my ws client isn't able to decipher the SOAP fault returned by the web service. I wrote a custom FaultMessageResolver, but it doesn't get invoked (I set a breakpoint there but it doesn't hit. The FaultMessageResolver just worked fine before I added the Wss4jSecurityInterceptor for signature, encryption/decryption stuff). Here's the code:
public class VehicleServiceClientExceptionResolver implements FaultMessageResolver {
#Override
public void resolveFault(WebServiceMessage message) throws IOException {
SoapMessage soapMessage = (SoapMessage) message;
try {
JAXBContext context = JAXBContext.newInstance(ErrorMessages.class);
Unmarshaller unMarshaller = context.createUnmarshaller();
ErrorMessages errorMessages = (ErrorMessages)unMarshaller.unmarshal(soapMessage.getSoapBody().getFault().getFaultDetail().getDetailEntries().next().getSource());
if (errorMessages.getErrorMessage().size() > 0) {
throw new VehicleServiceClientException(errorMessages);
}
} catch (JAXBException e) {
LOGGER.debug(e.getMessage());
}
}
}
And this custom soap fault resolver is injected into client side web service template like below:
<bean id="vehicleQuotationWebServiceTemplate" class="org.springframework.ws.client.core.WebServiceTemplate">
<constructor-arg ref="messageFactory"/>
<property name="interceptors">
<list>
<ref bean="wsSecurityInterceptor"/>
</list>
</property>
<property name="marshaller" ref="vehicleQuotationMarshaller" />
<property name="unmarshaller" ref="vehicleQuotationMarshaller" />
<property name="messageSender" ref="urlMessageSender"/>
<property name="faultMessageResolver" ref="vehicleServiceClientFaultMessageResolver" />
<property name="defaultUri" value="https://*********/*********Service"/>
</bean>
The most weird thing is although I got that unmarshall exception, I did see the encrypted server response was decrypted in my eclipse console when I change the log level from INFO to DEBUG, I am not sure where this DigesterOutputStream comes from, but I think it might be the key to solve this.
Anyone got any idea? Thanks!
DEBUG p.xml.dsig.internal.DigesterOutputStream:
<soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-af090516-9e00-4590-b481-c78e59d6b2fc"><soapenv:Fault><faultcode>soapenv:Client.Validation</faultcode><faultstring</faultstring><detail><em:ErrorMessages xmlns:em="urn:ford/errormessage/v1.0"><em:ErrorMessage><em:ErrorCode>GLSE903100</em:ErrorCode><em:ErrorDescription> CTT System Quote Id already exists ('1041')</em:ErrorDescription><em:ErrorTime>2014-05-16T15:13:20</em:ErrorTime></em:ErrorMessage></em:ErrorMessages></detail></soapenv:Fault></soapenv:Body>
I found the solution here: Adding a WebServiceMessageExtractor<Object> to:
WebServiceTemplate.sendAndReceive(
new WebServiceMessageCallback(),
new WebServiceMessageExtractor<Object>())
does the trick.
Another solution:
public class ExampleInterceptor implements ClientInterceptor {
public boolean handleResponse(MessageContext messageContext) throws WebServiceClientException {
var resp = (SoapMessage) messageContext.getResponse();
Optional.of(resp)
.filter(res -> !hasFault(res))
.orElseThrow(() -> new SoapFaultClientException(resp));
return true;
}
private boolean hasFault(final WebServiceMessage response) {
return Optional.ofNullable(response)
.filter(resp -> resp instanceof FaultAwareWebServiceMessage)
.map(resp -> (FaultAwareWebServiceMessage) resp)
.map(FaultAwareWebServiceMessage::hasFault)
.orElse(false);
}
}
#Configuration
public class ExampleConnectorConfig extends WSConnectorConfig
#Bean
public WSConnector soapConnector(Jaxb2Marshaller marshaller) {
var client = new WSConnector(messageFactory());
client.setInterceptors(new ClientInterceptor[]{new ExampleInterceptor()});
client.setDefaultUri(proxy);
return client;
}
//Example
#Bean
public SaajSoapMessageFactory messageFactory() {
SaajSoapMessageFactory messageFactory = new SaajSoapMessageFactory();
messageFactory.afterPropertiesSet();
return messageFactory;
}
}
I am using Spring MVC framework for my project.
I am unable to get my code running from controller to view.
Sharing the important chunk of code here.....
Inside AdminController.java controller
System.out.println("controller returning");
return new ModelAndView("dataFrame_","frameData",dataString);
Inside dispatcher-servlet.xml
<bean name="/dataFrame.htm"
class="com.organization.dept.spec.proj.module.controller.DataFrameController" >
</bean>
<bean id="dataFrameViewResolver"
class="com.organization.dept.spec.proj.module.view.DataFrameViewResolver">
<property name="dataFrameView">
<bean class="com.organization.dept.spec.proj.module.view.DataFrameView" />
</property>
<property name="dataFramePrefix" value="dataFrame_"></property>
</bean>
inside DataFrameViewResolver.java
public class DataFrameViewResolver extends AbstractCachingViewResolver {
private String dataFramePrefix;
private View dataFrameView;
#Override
protected View loadView (String viewName, Locale locale) throws Exception {
View view = null;
if(viewName.startsWith(this.dataFramePrefix)){
view = dataFrameView;
}
return view;
}
and
public String getDataFramePrefix() {
return dataFramePrefix;
}
public void setDataFramePrefix(String dataFramePrefix) {
this.dataFramePrefix = dataFramePrefix;
}
public View getDataFrameView() {
return dataFrameView;
}
public void setDataFrameView(View dataFrameView) {
this.dataFrameView = dataFrameView;
}
}
inside DataFrameView.java ...
public class DataFrameView extends AbstractView {
#Override
protected void renderMergedOutputModel(Map map, HttpServletRequest request,HttpServletResponse response) throws Exception {
System.out.println("RenderMergeoutputModel"); //line 99
I was unable to get the above system.out.println i.e. was unable to execute my code till that line 99.
The localhost log files of tomcat revealed some exception java.lang.ClassNotFoundException: javax.servlet.jsp.jstl.core.Config
I put the jstl-1.2.jar in lib and this could just get me rid of exception however still was unable get sysout of DataFrameView of line 99.
I'm trying to create a multiaction web controller using Spring annotations. This controller will be responsible for adding and removing user profiles and preparing reference data for the jsp page.
#Controller
public class ManageProfilesController {
#InitBinder
public void initBinder(WebDataBinder binder) {
binder.registerCustomEditor(UserAccount.class,"account", new UserAccountPropertyEditor(userManager));
binder.registerCustomEditor(Profile.class, "profile", new ProfilePropertyEditor(profileManager));
logger.info("Editors registered");
}
#RequestMapping("remove")
public void up( #RequestParam("account") UserAccount account,
#RequestParam("profile") Profile profile) {
...
}
#RequestMapping("")
public ModelAndView defaultView(#RequestParam("account") UserAccount account) {
logger.info("Default view handling");
ModelAndView mav = new ModelAndView();
logger.info(account.getLogin());
mav.addObject("account", account);
mav.addObject("profiles", profileManager.getProfiles());
mav.setViewName(view);
return mav;
}
...
}
Here is the part of my webContext.xml file:
<context:component-scan base-package="ru.mirea.rea.webapp.controllers" />
<context:annotation-config/>
<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="mappings">
<value>
...
/home/users/manageProfiles=users.manageProfilesController
</value>
</property>
</bean>
<bean id="users.manageProfilesController" class="ru.mirea.rea.webapp.controllers.users.ManageProfilesController">
<property name="view" value="home\users\manageProfiles"/>
</bean>
<bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter" />
However, when i open the mapped url, i get exception:
java.lang.IllegalArgumentException: Cannot convert value of type [java.lang.String] to required type [ru.mirea.rea.model.UserAccount]: no matching editors or conversion strategy found
I use spring 2.5.6 and plan to move to the Spring 3.0 in some not very distant future. However, according to this JIRA https://jira.springsource.org/browse/SPR-4182 it should be possible already in spring 2.5.1.
The debug shows that the InitBinder method is correctly called.
What am i doing wrong?
Update:
public class UserAccountPropertyEditor extends PropertyEditorSupport {
static Logger logger = Logger.getLogger(UserAccountPropertyEditor.class);
public UserAccountPropertyEditor(IUserDAO dbUserManager) {
this.dbUserManager = dbUserManager;
}
private IUserDAO dbUserManager;
public String getAsText() {
UserAccount obj = (UserAccount) getValue();
if (null==obj) {
return "";
} else {
return obj.getId().toString();
}
}
public void setAsText(final String value) {
try {
Long id = Long.parseLong(value);
UserAccount acct = dbUserManager.getUserAccountById(id);
if (null!=acct) {
super.setValue(acct);
} else {
logger.error("Binding error. Cannot find userAccount with id ["+value+"]");
throw new IllegalArgumentException("Binding error. Cannot find userAccount with id ["+value+"]");
}
} catch (NumberFormatException e) {
logger.error("Binding error. Invalid id: " + value);
throw new IllegalArgumentException("Binding error. Invalid id: " + value);
}
}
}
There are no errors logged from UserAccountPropertyEditor.
I don't think you want to be specifying the field argument to WebDataBinder.registerCustomEditor(). This intended to work alongside form-backing objects, and you're not using that.
Try the simpler 2-arg method instead, and it should work:
binder.registerCustomEditor(UserAccount.class, new UserAccountPropertyEditor(userManager));
binder.registerCustomEditor(Profile.class, new ProfilePropertyEditor(profileManager));