'[jira] [Commented] (WSS-636) CLONE - Password set to null in UsernameTokenValidator'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xmlrpc-user
Subject:    [jira] [Commented] (WSS-636) CLONE - Password set to null in UsernameTokenValidator
From:       "Colm O hEigeartaigh (JIRA)" <jira () apache ! org>
Date:       2018-11-20 17:23:00
Message-ID: JIRA.13199637.1542731215000.397257.1542734580911 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/WSS-636?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16693534#comment-16693534 \
] 

Colm O hEigeartaigh commented on WSS-636:
-----------------------------------------

The UsernameTokenValidator is designed to be used with a CallbackHandler which \
supplies a given password. It is only really for use in trivial use-cases.For \
enterprise use instead the JAASUsernameTokenValidator should be used:

https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/JAASUsernameTokenValidator.java


> CLONE - Password set to null in UsernameTokenValidator
> ------------------------------------------------------
> 
> Key: WSS-636
> URL: https://issues.apache.org/jira/browse/WSS-636
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 2.2.2
> Environment: linux, cxf, jetty 6.10
> Reporter: Bouke
> Assignee: Colm O hEigeartaigh
> Priority: Minor
> Labels: UsernameTokenValidator
> 
> When trying to do basic authentication in Soap header with UserNameToken, token is \
> well read from XML, but badly passed to password callback. Line 165 of \
> org.apache.ws.security.validate.UsernameTokenValidator : WSPasswordCallback pwCb = 
> new WSPasswordCallback(user, null, pwType, WSPasswordCallback.USERNAME_TOKEN, \
> data); The password is set to null, while it has been correcty read just before.
> Proposed patch :
> Index: src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java
> ===================================================================
> --- src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java	(révision \
>                 1098991)
> +++ src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java	(copie \
> de travail) @@ -163,7 +163,7 @@
> boolean passwordsAreEncoded = usernameToken.getPasswordsAreEncoded();
> 
> WSPasswordCallback pwCb = 
> -            new WSPasswordCallback(user, null, pwType, \
> WSPasswordCallback.USERNAME_TOKEN, data); +            new WSPasswordCallback(user, \
> password, pwType, WSPasswordCallback.USERNAME_TOKEN, data); try {
> data.getCallbackHandler().handle(new Callback[]{pwCb});
> } catch (IOException e) {



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic