axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: Rampart: sp:HashPassword does not require receiving a hashed password
Date Tue, 05 Mar 2013 11:34:15 GMT
Nate
 
You have 2 cases to test
Digest-Hash
ClearText

so the statement
             if(ut.isHashPassword() && !wssUt.isHashed()) {
                 throw new RampartException("invalidUsernameTokenType");
-                } else if (wssUt.getPassword() == null ||
- !wssUt.getPasswordType().equals(WSConstants.PASSWORD_TEXT)) {
+                } else if (!ut.isHashPassword() && (wssUt.getPassword() == null ||
+                        !wssUt.getPasswordType().equals(WSConstants.PASSWORD_TEXT))) {
                 throw new RampartException("invalidUsernameTokenType");
                 }
would be more easily written as 

if(ut.isHashPassword())
{
 log.debug("HashPassword Digest Branch taken");
 if(!wssUt.isHashed())
 {
   throw new RampartException("invalidUsernameTokenType");
   }
}
else 
{
  log.debug("ClearTextPasswordBranch taken");
  if(wssUt.getPassword()==null
{
    throw new RampartException("invalidUsernameTokenType");
    }
 }
 
 Martin
 _____________________________ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité


 
.

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten
wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist
unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet
keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen
wir keine Haftung fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire
prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe
quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information
seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les
email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune
responsabilité pour le contenu fourni.


  




From: nathan.a.clement@hotmail.com
To: java-dev@axis.apache.org
Subject: RE: Rampart: sp:HashPassword does not require receiving a hashed password
Date: Tue, 5 Mar 2013 16:59:54 +1100




Hi,

I've recorded this as https://issues.apache.org/jira/browse/RAMPART-400 (patch included)

Regards,

Nathan



> Date: Mon, 4 Mar 2013 09:43:26 -0500
> Subject: Re: Rampart: sp:HashPassword does not require receiving a hashed password
> From: ruchith.fernando@gmail.com
> To: java-dev@axis.apache.org
> 
> Hi Nathan,
> 
> On Mon, Mar 4, 2013 at 1:48 AM, Nathan Clement
> <nathan.a.clement@hotmail.com> wrote:
> > Hi Ruchith,
> >
> > Thanks for your quick response. I was halfway through writing my own patch
> > to 1.6.2 in that exact area of the code :) I have instead applied your
> > changesets to my working copy of the Rampart source. However, I'm having a
> > problem with the following code:
> >
> > } else if (wssUt.getPassword() == null ||
> > !wssUt.getPasswordType().equals(WSConstants.PASSWORD_TEXT)) {
> > throw new RampartException("invalidUsernameTokenType");
> >
> > When a PasswordDigest is used, wssUt.getPassword() returns the hashed
> > password value, and so this exception is thrown, even though the request is
> > valid according to the policy. Am I missing something here, or should this
> > if statement be something like:
> >
> > } else if (!ut.isHashPassword() && (wssUt.getPassword() == null ||
> > !wssUt.getPasswordType().equals(WSConstants.PASSWORD_TEXT))) {
> > throw new RampartException("invalidUsernameTokenType");
> >
> > Happy to raise a bug and provide a patch if you concur.
> 
> Yes. Please a bug and attach a patch.
> This condition is intended to cover the case when policy requires a
> UsernameToken with a plain text password.
> Therefore it needs the additional check to avoid breaking the digest case.
> 
> Thanks,
> Ruchith
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
> For additional commands, e-mail: java-dev-help@axis.apache.org
> 
 		 	   		  
Mime
View raw message