'[jira] [Created] (WSS-635) verifyPlaintextPassword bug that can't validate #PasswordText type of pla'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       woden-dev
Subject:    [jira] [Created] (WSS-635) verifyPlaintextPassword bug that can't validate #PasswordText type of pla
From:       "Bin (JIRA)" <jira () apache ! org>
Date:       2018-11-15 23:04:00
Message-ID: JIRA.13198779.1542322987000.360752.1542323040275 () Atlassian ! JIRA
[Download RAW message or body]

Bin created WSS-635:
-----------------------

             Summary: verifyPlaintextPassword bug that can't validate #PasswordText \
type of plain password  Key: WSS-635
                 URL: https://issues.apache.org/jira/browse/WSS-635
             Project: WSS4J
          Issue Type: Bug
    Affects Versions: 2.2.2
            Reporter: Bin
            Assignee: Colm O hEigeartaigh


When Soap Web Service call produce head like:

<soap:Header>

<wsse:Security soap:mustUnderstand="true" \
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">


<wsse:UsernameToken wsu:Id="UsernameToken-84B2EED4F9D0F2C33F154231267532210">

<wsse:Username>test</wsse:Username>

<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test$123</wsse:Password>


<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Uh1agPWwwflSLAZNN3/riA==</wsse:Nonce>


<wsu:Created>2018-11-15T20:11:15.322Z</wsu:Created>

</wsse:UsernameToken>

</wsse:Security>

</soap:Header>

In org.apache.wss4j.dom.validate.UsernameTokenValidator,  verifyPlaintextPassword() \
calls  verifyDigestPassword, which fails above header validation even when I \
configure a  

CallbackHandler to validate the username and password, Another issue is that the \
plain password is not passed in to the callbackHandler. It seems that  \
verifyPlaintextPassword() should not share the  verifyDigestPassword() logic.

  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic