ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bin (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WSS-635) verifyPlaintextPassword bug that can't validate #PasswordText type of plain password
Date Thu, 15 Nov 2018 23:04:00 GMT
Bin created WSS-635:
-----------------------

             Summary: verifyPlaintextPassword bug that can't validate #PasswordText type of
plain password
                 Key: WSS-635
                 URL: https://issues.apache.org/jira/browse/WSS-635
             Project: WSS4J
          Issue Type: Bug
    Affects Versions: 2.2.2
            Reporter: Bin
            Assignee: Colm O hEigeartaigh


When Soap Web Service call produce head like:

<soap:Header>

<wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wsse:UsernameToken wsu:Id="UsernameToken-84B2EED4F9D0F2C33F154231267532210">

<wsse:Username>test</wsse:Username>

<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test$123</wsse:Password>

<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Uh1agPWwwflSLAZNN3/riA==</wsse:Nonce>

<wsu:Created>2018-11-15T20:11:15.322Z</wsu:Created>

</wsse:UsernameToken>

</wsse:Security>

</soap:Header>

In org.apache.wss4j.dom.validate.UsernameTokenValidator, verifyPlaintextPassword() calls verifyDigestPassword,
which fails above header validation even when I configure a 

CallbackHandler to validate the username and password, Another issue is that the plain password
is not passed in to the callbackHandler. It seems that verifyPlaintextPassword() should not
share the verifyDigestPassword() logic.

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message