exception thrown by Wss4jSecurityInterceptor not handled by exceptionResolver?

[nblair]

I have a working web services endpoint using Spring 2.5.6, spring-ws 1.5.5, and spring-security 2.0.4.

We're requiring WS-Security on all methods, so we have a Wss4jSecurityInterceptor bean in our applicationContext. That bean references a SpringPlainTextPasswordValidationCallbackHandler instance, which in turn is linked to a DaoAuthenticationProvider containing our UserDetailsService implementation.

The UserDetailsService implementation is backed by a database. I'd like to handle the situation where the database is down for maintenance by mapping Spring's CannotGetJdbcConnectionException to a "SERVER" SOAP fault. I assumed that I just had to add the line to the exceptionMappings property of my SoapFaultMappingExceptionResolver; however it appears that isn't the case.

Even with the right line in my exceptionMappings property, my soap client gets a SOAP fault, but the message is not my own:
The security token could not be authenticated or authorized; nested exception is org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized

The type of that fault is also a CLIENT fault (I want it to be SERVER - it's not an authentication failure, the database just isn't available).

here is the relevant section of the logs from the endpoint:

Code:

2008-11-20 13:36:28,055 DEBUG org.springframework.ws.soap.security.wss4j.callback.SpringPlainTextPasswordValidationCallbackHandler - Authentication request for user 'fake' failed: org.springframework.security.AuthenticationServiceException: Could not get JDBC Connection; nested exception is org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (ORA-01017: invalid username/password; logon denied
); nested exception is org.springframework.jdbc.CannotGetJdbcConnectionException: Could not get JDBC Connection; nested exception is org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (ORA-01017: invalid username/password; logon denied
)
2008-11-20 13:36:28,062 WARN org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor - Could not validate request: The security token could not be authenticated or authorized; nested exception is org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized

It seems as if exceptions thrown by the Wss4jSecurityInterceptor aren't resolved by the exceptionResolver (setting a breakpoint within the resolver shows it never gets called) - is this expected behavior?

[nblair]

Here's relevant sections of my configuration:

Code:

<bean id="securityInterceptor"
		class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
		<property name="validationActions" value="UsernameToken" />
		<property name="validationCallbackHandler" ref="springSecurityHandler" />
		<property name="secureResponse" value="false" />
		<property name="validateRequest" value="true" />
	</bean>
	<bean id="springSecurityHandler"
		class="org.springframework.ws.soap.security.wss4j.callback.SpringPlainTextPasswordValidationCallbackHandler">
		<property name="authenticationManager" ref="authenticationManager" />
	</bean>
	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
		<property name="providers">
			<bean
				class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
				<property name="userDetailsService" ref="userDetailsService" />
                        </bean>
		</property>
	</bean>

...

<bean id="annotationMapping"
		class="org.springframework.ws.server.endpoint.mapping.PayloadRootAnnotationMethodEndpointMapping">
		<property name="defaultEndpoint" ref="courseRosterEndpoint" />
		<property name="interceptors">
			<list>
				<ref bean="securityInterceptor" />
			</list>
		</property>
	</bean>
<bean id="exceptionResolver"
		class="org.springframework.ws.soap.server.endpoint.SoapFaultMappingExceptionResolver">
		<property name="defaultFault" value="SERVER" />
		<property name="exceptionMappings">
			<value>
			org.springframework.oxm.ValidationFailureException=CLIENT,Invalid request
			org.springframework.security.AuthenticationServiceException=SERVER,Service temporarily unavailable
			org.springframework.security.BadCredentialsException=CLIENT,Authentication failed
			org.springframework.dao.DataAccessException=SERVER,Service temporarily unavailable
			org.springframework.jdbc.CannotGetJdbcConnectionException=SERVER,Service temporarily unavailable
			java.lang.IllegalArgumentException=CLIENT,One or more of your arguments is invalid
			service.PersonNotFoundException=CLIENT,Person not found
			service.CourseSectionNotFoundException=CLIENT,Course Section either doesn't exist or is not within account scope
			security.AuthorizationFailureException=CLIENT,Your account is not authorized to request this method
			java.lang.Exception=SERVER,A server error occurred
			</value>
		</property>
	</bean>

[mmuzamil]

Hi nblair,

Were u able to specify ur own message in this scenario? if yes then can you please share your findings/solution to solve this issue, as i also want to do similar kind of thing.

Thanks,
Muein