ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin Fung (JIRA)" <j...@apache.org>
Subject [jira] Commented: (WSS-25) UsernameToken password is not checked
Date Thu, 17 Nov 2005 14:16:42 GMT
    [ http://issues.apache.org/jira/browse/WSS-25?page=comments#action_12357892 ] 

Kevin Fung commented on WSS-25:
-------------------------------

I used both password text and digest. Digest was checked, but text was not. I see your point,
but I think the convension of JAAS CallbackHandler is to provide the password to the PasswordCallback.
The application (WSSecurityEngine in this case) performs the validation, similar to the way
that password digest is handled.

Regards,
Kevin

> UsernameToken password is not checked
> -------------------------------------
>
>          Key: WSS-25
>          URL: http://issues.apache.org/jira/browse/WSS-25
>      Project: WSS4J
>         Type: Bug
>  Environment: Windows 2000, JDK 1.5.0_05-b05
>     Reporter: Kevin Fung
>     Assignee: Davanum Srinivas

>
> In the handleUsernameToken method in WSSecurityEngine class, the password returned by
the password handler is not compared against the password/digest from the UsernameToken. The
result is that any password will be accepted.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message