Return-Path: X-Original-To: apmail-ws-dev-archive@www.apache.org Delivered-To: apmail-ws-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 41CB39D3F for ; Mon, 3 Oct 2011 09:06:14 +0000 (UTC) Received: (qmail 56250 invoked by uid 500); 3 Oct 2011 09:05:48 -0000 Delivered-To: apmail-ws-dev-archive@ws.apache.org Received: (qmail 54476 invoked by uid 500); 3 Oct 2011 09:05:46 -0000 Mailing-List: contact dev-help@ws.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ws.apache.org Delivered-To: mailing list dev@ws.apache.org Received: (qmail 52595 invoked by uid 99); 3 Oct 2011 09:05:44 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Oct 2011 09:05:44 +0000 X-ASF-Spam-Status: No, hits=-2000.5 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Oct 2011 09:05:40 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id B93462A69D4 for ; Mon, 3 Oct 2011 09:04:38 +0000 (UTC) Date: Mon, 3 Oct 2011 09:04:38 +0000 (UTC) From: "Colm O hEigeartaigh (Closed) (JIRA)" To: dev@ws.apache.org Message-ID: <406226614.2509.1317632678760.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Closed] (WSS-54) UsernameTokenProcessor not processing unhashed UsernameToken MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/WSS-54?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh closed WSS-54. ---------------------------------- > UsernameTokenProcessor not processing unhashed UsernameToken > ------------------------------------------------------------ > > Key: WSS-54 > URL: https://issues.apache.org/jira/browse/WSS-54 > Project: WSS4J > Issue Type: Bug > Reporter: Bob Coss > Fix For: 1.5.4 > > Attachments: wss4j_wss54_revised.patch > > > The UsernameTokenProcessor will not authenticate anything but a UsernameToken that was hashed with a nonce and timestamp. Anything else that is passed to it will create a valid principal regardless of what the implementations password callback handler does. This is creating confusion and preventing WSS4J from being used for anything where the the UsernameToken is passed plainly. It is understood that doing this in a production environment is discouraged, but it is usefull to have this implementation work as expected so that the framework can be experimented with and evaluated. > Specifically, in UsernameTokenProcessor.java, for a UsernameToken that is not of hashed, nothing is done with the WSPasswordCallback object after the call to the password handler handle method is invoked. Since nothing is done with it, the code drops through and sets up a valid principal with the userid and returns. There is no way to signal a WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION). -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org For additional commands, e-mail: dev-help@ws.apache.org