ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (Closed) (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (WSS-54) UsernameTokenProcessor not processing unhashed UsernameToken
Date Mon, 03 Oct 2011 09:04:38 GMT

     [ https://issues.apache.org/jira/browse/WSS-54?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh closed WSS-54.
----------------------------------

    
> UsernameTokenProcessor not processing unhashed UsernameToken
> ------------------------------------------------------------
>
>                 Key: WSS-54
>                 URL: https://issues.apache.org/jira/browse/WSS-54
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Bob Coss
>             Fix For: 1.5.4
>
>         Attachments: wss4j_wss54_revised.patch
>
>
> The UsernameTokenProcessor will not authenticate anything but a UsernameToken that was
hashed with a nonce and timestamp.  Anything else that is passed to it will create a valid
principal regardless of what the implementations password callback handler does.  This is
creating confusion and preventing WSS4J from being used for anything where the the UsernameToken
is passed plainly.  It is understood that doing this in a production environment is discouraged,
but it is usefull to have this implementation work as expected so that the framework can be
experimented with and evaluated.
> Specifically, in UsernameTokenProcessor.java, for a UsernameToken that is not of hashed,
nothing is done with the WSPasswordCallback object after the call to the password handler
handle method is invoked.  Since nothing is done with it, the code drops through and sets
up a valid principal with the userid and returns.  There is no way to signal a WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message