[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-user
Subject: [jira] [Resolved] (WSS-635) verifyPlaintextPassword bug that can't validate #PasswordText type of pl
From: "Colm O hEigeartaigh (JIRA)" <jira () apache ! org>
Date: 2018-11-16 10:13:00
Message-ID: JIRA.13198779.1542322987000.364380.1542363180474 () Atlassian ! JIRA
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/WSS-635?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]
Colm O hEigeartaigh resolved WSS-635.
-------------------------------------
Resolution: Not A Problem
> verifyPlaintextPassword bug that can't validate #PasswordText type of plain \
> password
> ------------------------------------------------------------------------------------
>
> Key: WSS-635
> URL: https://issues.apache.org/jira/browse/WSS-635
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 2.2.2
> Reporter: Bin
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> When Soap Web Service call produce head like:
> <soap:Header>
> <wsse:Security soap:mustUnderstand="true" \
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
> <wsse:UsernameToken wsu:Id="UsernameToken-84B2EED4F9D0F2C33F154231267532210">
> <wsse:Username>test</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test$123</wsse:Password>
> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Uh1agPWwwflSLAZNN3/riA==</wsse:Nonce>
> <wsu:Created>2018-11-15T20:11:15.322Z</wsu:Created>
> </wsse:UsernameToken>
> </wsse:Security>
> </soap:Header>
> In org.apache.wss4j.dom.validate.UsernameTokenValidator, verifyPlaintextPassword() \
> calls verifyDigestPassword, which fails above header validation even when I \
> configure a CallbackHandler to validate the username and password, Another issue \
> is that the plain password is not passed in to the callbackHandler. It seems that \
> verifyPlaintextPassword() should not share the verifyDigestPassword() logic.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic