[prev in list] [next in list] [prev in thread] [next in thread]
List: woden-dev
Subject: [jira] [Created] (WSS-635) verifyPlaintextPassword bug that can't validate #PasswordText type of pla
From: "Bin (JIRA)" <jira () apache ! org>
Date: 2018-11-15 23:04:00
Message-ID: JIRA.13198779.1542322987000.360752.1542323040275 () Atlassian ! JIRA
[Download RAW message or body]
Bin created WSS-635:
-----------------------
Summary: verifyPlaintextPassword bug that can't validate #PasswordText \
type of plain password Key: WSS-635
URL: https://issues.apache.org/jira/browse/WSS-635
Project: WSS4J
Issue Type: Bug
Affects Versions: 2.2.2
Reporter: Bin
Assignee: Colm O hEigeartaigh
When Soap Web Service call produce head like:
<soap:Header>
<wsse:Security soap:mustUnderstand="true" \
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-84B2EED4F9D0F2C33F154231267532210">
<wsse:Username>test</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test$123</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Uh1agPWwwflSLAZNN3/riA==</wsse:Nonce>
<wsu:Created>2018-11-15T20:11:15.322Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
In org.apache.wss4j.dom.validate.UsernameTokenValidator, verifyPlaintextPassword() \
calls verifyDigestPassword, which fails above header validation even when I \
configure a
CallbackHandler to validate the username and password, Another issue is that the \
plain password is not passed in to the callbackHandler. It seems that \
verifyPlaintextPassword() should not share the verifyDigestPassword() logic.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic