Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
2.7.14
-
None
-
Windows
Java 7 SE
-
Unknown
Description
Hello,
A user invoking a WS, cannot be authenticated by a Username Token if its username is provided in a CDATA section.
For instance, if the user uses the following username token:
<wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:Username><![CDATA[wernerd]]></wsse:Username> <wsse:Password>verySecret</wsse:Password> </wsse:UsernameToken>
then the username provided to the UsernameTokenValidator will be 'null' and not 'wernerd'.
The reason is the method nodeString(Element e) of the UsernameToken considers only node of type TEXT. It should considers CDATA_SECTION_NODE too.
A fix could be something like that:
/**
* Returns the data of an element as String or null if either the the element
* does not contain a Text node or the node is empty.
*
* @param e DOM element
* @return Element text node data as String
*/
private String nodeString(Element e) {
if (e != null) {
Node node = e.getFirstChild();
StringBuilder builder = new StringBuilder();
boolean found = false;
while (node != null) {
if (Node.TEXT_NODE == node.getNodeType()) {
found = true;
builder.append(((Text)node).getData());
}
// FIX START
else if (Node.CDATA_SECTION_NODE == node.getNodeType()) {
found = true;
builder.append(((CDATASection)node).getData());
}
// FIX END
node = node.getNextSibling();
}
if (!found) {
return null;
}
return builder.toString();
}
return null;
}
A workaround is not to send the username in CDATA.