Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.1.4
-
None
-
Windows XP
-
Moderate
Description
For WS-Security w/UsernameToken profile (standard method[1], have not tested the WS-SecurityPolicy version with CXF 2.2), the web service provider is not checking whether the password type being supplied by the client (PW_DIGEST or PW_TEXT) matches the type that the web service provider is defined to handle in the cxf-servlet.xml file ("PasswordDigest" or "PasswordText"). This creates a security problem because PW_TEXT and PW_DIGEST are handled very differently[2] on the service side: for the former, the ServiceCallbackHandler validates the password, for the latter, the WSS4J/CXF runtime does, all the ServiceCallbackHandler does is supply the correct password to validate the client's value against.
Security hole: If the web service provider is programmed to accept DIGEST, that means its service-side callback handler will be supplying the correct password and will not do any validation or throw any exceptions. If the SOAP client sends a PW_TEXT value with any password, the DIGEST-designed ServiceCallbackHandler will still be called but it won't throw any exceptions--i.e., the SOAP call will wrongfully complete and return an answer to the client.
CXF needs to throw an exception if the SOAP client's password type <> the web service providers.
Client side (see [1] for source code):
outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
Service's cxf-servlet.xml:
<entry key="passwordType" value="PasswordDigest"/>
<!-entry key="passwordType" value="PasswordText"/->
[1] http://www.jroller.com/gmazza/entry/using_cxf_and_wss4j_to
[2] http://cwiki.apache.org/CXF20DOC/ws-security.html#WS-Security-UsernameTokenAuthentication
Attachments
Issue Links
- relates to
-
WSS-255 Add support for enforcing a text or digest password type when processing a UsernameToken
-
- Closed
-