From dev-return-18494-archive-asf-public=cust-asf.ponee.io@ws.apache.org Tue Nov 20 18:19:12 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 75030180675 for ; Tue, 20 Nov 2018 18:19:11 +0100 (CET) Received: (qmail 6782 invoked by uid 500); 20 Nov 2018 17:19:05 -0000 Mailing-List: contact dev-help@ws.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ws.apache.org Delivered-To: mailing list dev@ws.apache.org Received: (qmail 6772 invoked by uid 99); 20 Nov 2018 17:19:05 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Nov 2018 17:19:05 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id E3F94C7130 for ; Tue, 20 Nov 2018 17:19:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.501 X-Spam-Level: X-Spam-Status: No, score=-109.501 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id djVmCOdLNGIy for ; Tue, 20 Nov 2018 17:19:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 685D65F11D for ; Tue, 20 Nov 2018 17:19:02 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 78B12E2635 for ; Tue, 20 Nov 2018 17:19:01 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id A130523FA1 for ; Tue, 20 Nov 2018 17:19:00 +0000 (UTC) Date: Tue, 20 Nov 2018 17:19:00 +0000 (UTC) From: "Bouke (JIRA)" To: dev@ws.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (WSS-636) CLONE - Password set to null in UsernameTokenValidator MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/WSS-636?page=3Dcom.atlassian.ji= ra.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D1669351= 5#comment-16693515 ]=20 Bouke commented on WSS-636: --------------------------- I=C2=A0realise this issue has been discussed and closed before (CXF-3484) b= ut I have seen many (Spring) tutorials that use the class as is, always in = combination with a server-side clear password storage, since this the only = way that the UsernameTokenValidator is currently useful.=C2=A0 Obviously clear password storage is not to be encouraged and line 179 "if (= !origPassword.equals(password)) {"=C2=A0 is a line that should not exist an= ywhere in a secure environment.=C2=A0 Since the org.apache.wss4j.dom.validate.Validator interface is not yet well= documented or has not made it into Google's search indexes yet, I would li= ke to urge you to find a way to encourage good secure behaviour. I would be happy to assist in anyway possible. > CLONE - Password set to null in UsernameTokenValidator > ------------------------------------------------------ > > Key: WSS-636 > URL: https://issues.apache.org/jira/browse/WSS-636 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core > Affects Versions: 2.2.2 > Environment: linux, cxf, jetty 6.10 > Reporter: Bouke > Assignee: Colm O hEigeartaigh > Priority: Major > Labels: UsernameTokenValidator > > When trying to do basic authentication in Soap header with UserNameToken,= token is well read from XML, but badly passed to password callback. > Line 165 of org.apache.ws.security.validate.UsernameTokenValidator : > WSPasswordCallback pwCb =3D=20 > new WSPasswordCallback(user, null, pwType, WSPasswordCallback= .USERNAME_TOKEN, data); > The password is set to null, while it has been correcty read just before. > Proposed patch : > Index: src/main/java/org/apache/ws/security/validate/UsernameTokenValidat= or.java > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.= java=09(r=C3=A9vision 1098991) > +++ src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.= java=09(copie de travail) > @@ -163,7 +163,7 @@ > boolean passwordsAreEncoded =3D usernameToken.getPasswordsAreEnc= oded(); > =20 > WSPasswordCallback pwCb =3D=20 > - new WSPasswordCallback(user, null, pwType, WSPasswordCallbac= k.USERNAME_TOKEN, data); > + new WSPasswordCallback(user, password, pwType, WSPasswordCal= lback.USERNAME_TOKEN, data); > try { > data.getCallbackHandler().handle(new Callback[]{pwCb}); > } catch (IOException e) { -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org For additional commands, e-mail: dev-help@ws.apache.org