Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6328

Username of UsernameToken is null when it is provided as in a CDATA section

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.7.14
    • Fix Version/s: 3.1
    • Component/s: JAX-WS Runtime
    • Labels:
      None
    • Environment:

      Windows
      Java 7 SE

    • Estimated Complexity:
      Unknown

      Description

      Hello,

      A user invoking a WS, cannot be authenticated by a Username Token if its username is provided in a CDATA section.

      For instance, if the user uses the following username token:

      <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsse:Username><![CDATA[wernerd]]></wsse:Username>
         <wsse:Password>verySecret</wsse:Password>
      </wsse:UsernameToken>
      

      then the username provided to the UsernameTokenValidator will be 'null' and not 'wernerd'.

      The reason is the method nodeString(Element e) of the UsernameToken considers only node of type TEXT. It should considers CDATA_SECTION_NODE too.

      A fix could be something like that:

          /**
           * Returns the data of an element as String or null if either the the element
           * does not contain a Text node or the node is empty.
           *
           * @param e DOM element
           * @return Element text node data as String
           */
          private String nodeString(Element e) {
              if (e != null) {
                  Node node = e.getFirstChild();
                  StringBuilder builder = new StringBuilder();
                  boolean found = false;
                  while (node != null) {
                      if (Node.TEXT_NODE == node.getNodeType()) {
                          found = true;
                          builder.append(((Text)node).getData());
                      } 
      // FIX START                
                      else if (Node.CDATA_SECTION_NODE == node.getNodeType()) {
                          found = true;
                          builder.append(((CDATASection)node).getData());
                      }
      // FIX END
                      node = node.getNextSibling();
                  }
                 if (!found) {
                      return null;
                  }
                  return builder.toString();
              }
              return null;
          }
      

      A workaround is not to send the username in CDATA.

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              AKROUR AKROUR
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: