[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-user
Subject: [jira] [Commented] (WSS-636) CLONE - Password set to null in UsernameTokenValidator
From: "Colm O hEigeartaigh (JIRA)" <jira () apache ! org>
Date: 2018-11-20 17:23:00
Message-ID: JIRA.13199637.1542731215000.397257.1542734580911 () Atlassian ! JIRA
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/WSS-636?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16693534#comment-16693534 \
]
Colm O hEigeartaigh commented on WSS-636:
-----------------------------------------
The UsernameTokenValidator is designed to be used with a CallbackHandler which \
supplies a given password. It is only really for use in trivial use-cases.For \
enterprise use instead the JAASUsernameTokenValidator should be used:
https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/JAASUsernameTokenValidator.java
> CLONE - Password set to null in UsernameTokenValidator
> ------------------------------------------------------
>
> Key: WSS-636
> URL: https://issues.apache.org/jira/browse/WSS-636
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 2.2.2
> Environment: linux, cxf, jetty 6.10
> Reporter: Bouke
> Assignee: Colm O hEigeartaigh
> Priority: Minor
> Labels: UsernameTokenValidator
>
> When trying to do basic authentication in Soap header with UserNameToken, token is \
> well read from XML, but badly passed to password callback. Line 165 of \
> org.apache.ws.security.validate.UsernameTokenValidator : WSPasswordCallback pwCb =
> new WSPasswordCallback(user, null, pwType, WSPasswordCallback.USERNAME_TOKEN, \
> data); The password is set to null, while it has been correcty read just before.
> Proposed patch :
> Index: src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java
> ===================================================================
> --- src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java (révision \
> 1098991)
> +++ src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java (copie \
> de travail) @@ -163,7 +163,7 @@
> boolean passwordsAreEncoded = usernameToken.getPasswordsAreEncoded();
>
> WSPasswordCallback pwCb =
> - new WSPasswordCallback(user, null, pwType, \
> WSPasswordCallback.USERNAME_TOKEN, data); + new WSPasswordCallback(user, \
> password, pwType, WSPasswordCallback.USERNAME_TOKEN, data); try {
> data.getCallbackHandler().handle(new Callback[]{pwCb});
> } catch (IOException e) {
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic