cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Glen Mazza (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-4776) UsernameTokenValidator do not validate that password is not provided.
Date Thu, 24 Jan 2013 17:19:13 GMT

    [ https://issues.apache.org/jira/browse/CXF-4776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13561773#comment-13561773
] 

Glen Mazza commented on CXF-4776:
---------------------------------

Note there may be other circumstances, like situation #2 here (UsernameToken w/password derived
key: http://www.jroller.com/gmazza/date/20121220), where a password is not supplied with the
username and also where it does not appear any password type is provided.  Make sure any solution
you propose will still work with this case.
                
> UsernameTokenValidator do not validate that password is not provided.
> ---------------------------------------------------------------------
>
>                 Key: CXF-4776
>                 URL: https://issues.apache.org/jira/browse/CXF-4776
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.7.2
>            Reporter: Jason Pell
>            Assignee: Jason Pell
>             Fix For: 2.7.3
>
>         Attachments: UsernamePasswordPolicy.xml
>
>
> This is an issue for both WS-Policy and WSS4JInInterceptor configuration.
> If I include an incorrect Password I get the expected authentication error.  If I actually
remove the password I get no authentication failure.  The UsernameTokenValidator only checks
that the username is provided.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message