'[jira] [Resolved] (WSS-635) verifyPlaintextPassword bug that can't validate #PasswordText type of pl'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       woden-dev
Subject:    [jira] [Resolved] (WSS-635) verifyPlaintextPassword bug that can't validate #PasswordText type of pl
From:       "Colm O hEigeartaigh (JIRA)" <jira () apache ! org>
Date:       2018-11-16 10:13:00
Message-ID: JIRA.13198779.1542322987000.364380.1542363180474 () Atlassian ! JIRA
[Download RAW message or body]


     [ https://issues.apache.org/jira/browse/WSS-635?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]

Colm O hEigeartaigh resolved WSS-635.
-------------------------------------
    Resolution: Not A Problem

> verifyPlaintextPassword bug that can't validate #PasswordText type of plain \
>                 password
> ------------------------------------------------------------------------------------
>  
> Key: WSS-635
> URL: https://issues.apache.org/jira/browse/WSS-635
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 2.2.2
> Reporter: Bin
> Assignee: Colm O hEigeartaigh
> Priority: Major
> 
> When Soap Web Service call produce head like:
> <soap:Header>
> <wsse:Security soap:mustUnderstand="true" \
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>  <wsse:UsernameToken wsu:Id="UsernameToken-84B2EED4F9D0F2C33F154231267532210">
> <wsse:Username>test</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test$123</wsse:Password>
>  <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Uh1agPWwwflSLAZNN3/riA==</wsse:Nonce>
>  <wsu:Created>2018-11-15T20:11:15.322Z</wsu:Created>
> </wsse:UsernameToken>
> </wsse:Security>
> </soap:Header>
> In org.apache.wss4j.dom.validate.UsernameTokenValidator,  verifyPlaintextPassword() \
> calls  verifyDigestPassword, which fails above header validation even when I \
> configure a   CallbackHandler to validate the username and password, Another issue \
> is that the plain password is not passed in to the callbackHandler. It seems that  \
> verifyPlaintextPassword() should not share the  verifyDigestPassword() logic. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic