[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-user
Subject: [jira] [Commented] (WSS-281) Password set to null in UsernameTokenValidator
From: "Colm O hEigeartaigh (JIRA)" <jira () apache ! org>
Date: 2014-03-18 12:48:42
Message-ID: JIRA.12506044.1304416970424.96456.1395146922966 () arcas
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/WSS-281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13939143#comment-13939143 \
]
Colm O hEigeartaigh commented on WSS-281:
-----------------------------------------
The purpose of the UsernameTokenValidator in WSS4J 1.6.x is to ask a CallbackHandler \
for the password corresponding to the given user, and then to compare the passwords \
in the Validator. If you don't like this way of validating UsernameTokens, you can \
easily plug in your own Validator implementation to handle things how you prefer. For \
example, you can use the JAASUsernameTokenValidator which simply uses JAAS to \
validate the username/password.
The way WSS4J 1.5.x did validation by handing off the username + password to a \
CallbackHandler was a poor design choice, as it forced the CallbackHandler \
implementor to make security decisions instead of simply retrieving \
usernames/passwords.
In any case, these decisions were made several years ago now. WSS4J 1.5.x is no \
longer supported.
Colm.
> Password set to null in UsernameTokenValidator
> ----------------------------------------------
>
> Key: WSS-281
> URL: https://issues.apache.org/jira/browse/WSS-281
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6
> Environment: linux, cxf, jetty 6.10
> Reporter: Nicolas Poirot
> Assignee: Colm O hEigeartaigh
> Labels: UsernameTokenValidator
>
> When trying to do basic authentication in Soap header with UserNameToken, token is \
> well read from XML, but badly passed to password callback. Line 165 of \
> org.apache.ws.security.validate.UsernameTokenValidator : WSPasswordCallback pwCb =
> new WSPasswordCallback(user, null, pwType, WSPasswordCallback.USERNAME_TOKEN, \
> data); The password is set to null, while it has been correcty read just before.
> Proposed patch :
> Index: src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java
> ===================================================================
> --- src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java (révision \
> 1098991)
> +++ src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java (copie \
> de travail) @@ -163,7 +163,7 @@
> boolean passwordsAreEncoded = usernameToken.getPasswordsAreEncoded();
>
> WSPasswordCallback pwCb =
> - new WSPasswordCallback(user, null, pwType, \
> WSPasswordCallback.USERNAME_TOKEN, data); + new WSPasswordCallback(user, \
> password, pwType, WSPasswordCallback.USERNAME_TOKEN, data); try {
> data.getCallbackHandler().handle(new Callback[]{pwCb});
> } catch (IOException e) {
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic