ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WSS-635) verifyPlaintextPassword bug that can't validate #PasswordText type of plain password
Date Fri, 16 Nov 2018 10:12:00 GMT

    [ https://issues.apache.org/jira/browse/WSS-635?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16689252#comment-16689252
] 

Colm O hEigeartaigh commented on WSS-635:
-----------------------------------------

The logic in verifyDigestPassword works for both plaintext + digest passwords.

The issue is that your CallbackHandler implementation must return the password associated
with the username. For examples see this test implementation:

https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/UsernamePasswordCallbackHandler.java

> verifyPlaintextPassword bug that can't validate #PasswordText type of plain password
> ------------------------------------------------------------------------------------
>
>                 Key: WSS-635
>                 URL: https://issues.apache.org/jira/browse/WSS-635
>             Project: WSS4J
>          Issue Type: Bug
>    Affects Versions: 2.2.2
>            Reporter: Bin
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>
> When Soap Web Service call produce head like:
> <soap:Header>
> <wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
> <wsse:UsernameToken wsu:Id="UsernameToken-84B2EED4F9D0F2C33F154231267532210">
> <wsse:Username>test</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test$123</wsse:Password>
> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Uh1agPWwwflSLAZNN3/riA==</wsse:Nonce>
> <wsu:Created>2018-11-15T20:11:15.322Z</wsu:Created>
> </wsse:UsernameToken>
> </wsse:Security>
> </soap:Header>
> In org.apache.wss4j.dom.validate.UsernameTokenValidator, verifyPlaintextPassword() calls verifyDigestPassword,
which fails above header validation even when I configure a 
> CallbackHandler to validate the username and password, Another issue is that the plain
password is not passed in to the callbackHandler. It seems that verifyPlaintextPassword()
should not share the verifyDigestPassword() logic.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message