cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: [CXF-6222] - Password can end up in log file
Date Tue, 27 Jan 2015 15:04:13 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 168e1884d -> 2bab1a639


[CXF-6222] - Password can end up in log file


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2bab1a63
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2bab1a63
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2bab1a63

Branch: refs/heads/3.0.x-fixes
Commit: 2bab1a639859be0a5b9c3a6b5a590f277404762b
Parents: 168e188
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Jan 27 14:56:42 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Jan 27 14:59:00 2015 +0000

----------------------------------------------------------------------
 .../trust/AuthPolicyValidatingInterceptor.java  |  4 +--
 .../cxf/ws/security/trust/Messages.properties   |  2 +-
 .../AuthPolicyValidatingInterceptorTest.java    | 36 ++++++++++++++++++++
 3 files changed, 38 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2bab1a63/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
index 4bdccc1..5ea8ec8 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
@@ -67,15 +67,13 @@ public class AuthPolicyValidatingInterceptor extends AbstractPhaseInterceptor<Me
         AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
         if (policy == null || policy.getUserName() == null || policy.getPassword() == null)
{
             String name = null;
-            String password = null;
             if (policy != null) {
                 name = policy.getUserName();
-                password = policy.getPassword();
             }
             org.apache.cxf.common.i18n.Message errorMsg = 
                 new org.apache.cxf.common.i18n.Message("NO_USER_PASSWORD", 
                                                        BUNDLE, 
-                                                       name, password);
+                                                       name);
             LOG.warning(errorMsg.toString());
             throw new SecurityException(errorMsg.toString());
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2bab1a63/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/Messages.properties
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/Messages.properties
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/Messages.properties
index 570dacd..3bf9456 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/Messages.properties
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/Messages.properties
@@ -24,7 +24,7 @@ NO_ENTROPY=Could not find Entropy in RequestSecurityTokenResponse
 DERIVED_KEY_ERROR=Exception while trying to create secret key from RequestSecurityTokenResponse
 ENCRYPTED_KEY_ERROR=Exception while trying to decrypt key from RequestSecurityTokenResponse
 VALIDATION_FAILED=Validation of security token failed: {0}
-NO_USER_PASSWORD=No user name and/or password is available, name: {0}, password: {1}
+NO_USER_PASSWORD=No user name and/or password is available, name: {0}
 ADDRESS_NOT_MATCHED=Cannot match the address {0} to the WSDL received via WS-MEX
 WS_MEX_ERROR=Exception when trying to retrieve/process a WSDL via WS-MEX
 NO_LOCATION=The STSClient is not configured with either a location or wsdlLocation property

http://git-wip-us.apache.org/repos/asf/cxf/blob/2bab1a63/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
index 50d4d71..1fd4a16 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
@@ -47,6 +47,42 @@ public class AuthPolicyValidatingInterceptorTest extends Assert {
         assertTrue(validator.isValidated());
     }
     
+    @Test
+    public void testInvalidUsernamePassword() throws Exception {
+        AuthPolicyValidatingInterceptor in = new AuthPolicyValidatingInterceptor();
+        TestSTSTokenValidator validator = new TestSTSTokenValidator();
+        in.setValidator(validator);
+        
+        AuthorizationPolicy policy = new AuthorizationPolicy();
+        policy.setUserName("bob");
+        policy.setPassword("pswd2");
+        Message message = new MessageImpl();
+        message.put(AuthorizationPolicy.class, policy);
+        
+        in.handleMessage(message);
+        
+        assertFalse(validator.isValidated());
+    }
+    
+    @Test
+    public void testNoUsername() throws Exception {
+        AuthPolicyValidatingInterceptor in = new AuthPolicyValidatingInterceptor();
+        TestSTSTokenValidator validator = new TestSTSTokenValidator();
+        in.setValidator(validator);
+        
+        AuthorizationPolicy policy = new AuthorizationPolicy();
+        policy.setPassword("pswd");
+        Message message = new MessageImpl();
+        message.put(AuthorizationPolicy.class, policy);
+        
+        try {
+            in.handleMessage(message);
+            fail("Failure expected with no username");
+        } catch (SecurityException ex) {
+            // expected
+        }
+    }
+    
     private static class TestSTSTokenValidator extends STSTokenValidator {
         
         private boolean validated; 


Mime
View raw message