spring-ws icon indicating copy to clipboard operation
spring-ws copied to clipboard
verified publisher icon spring-projects

Eating the exception incase of error while processSAMLToken [SWS-1080]

Open gregturn opened this issue 6 years ago • 0 comments

muralidev81 opened SWS-1080 and commented

https://mvnrepository.com/artifact/com.sun.xml.xws/xws-security/3.0

 

We observed exceptions around processSAMLToken is eaten inside and not throwing to the caller. Due to this Authentication failed is also treating as successful authentication and getting access to the underlying service resource.

 

Expected: Let the exception be thrown to the caller and let it handle accordingly.

Don't wrap with try-catch. Its just similar to how other tokens are being processing.

 

More details are as follow:

jar: xws-security-3.0.jar

Package: com.sun.xml.wss.impl.

Class: HarnessUtil

Method: processWSSPolicy(final FilterProcessingContext fpContext).

 

try{
 if (samlPolicy.getAssertionType() == 
 AuthenticationTokenPolicy.SAMLAssertionBinding.SV_ASSERTION) {
 AuthenticationTokenFilter.processSamlToken(fpContext);
 }
}catch(Exception ex){
 //ignore it
}

 

 

 

Affects: 3.0.0.RELEASE

gregturn avatar Dec 17 '19 11:12 gregturn