WSS4J
  1. WSS4J
  2. WSS-54

UsernameTokenProcessor not processing unhashed UsernameToken

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.5.4
    • Component/s: None
    • Labels:
      None

      Description

      The UsernameTokenProcessor will not authenticate anything but a UsernameToken that was hashed with a nonce and timestamp. Anything else that is passed to it will create a valid principal regardless of what the implementations password callback handler does. This is creating confusion and preventing WSS4J from being used for anything where the the UsernameToken is passed plainly. It is understood that doing this in a production environment is discouraged, but it is usefull to have this implementation work as expected so that the framework can be experimented with and evaluated.

      Specifically, in UsernameTokenProcessor.java, for a UsernameToken that is not of hashed, nothing is done with the WSPasswordCallback object after the call to the password handler handle method is invoked. Since nothing is done with it, the code drops through and sets up a valid principal with the userid and returns. There is no way to signal a WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION).

      1. wss4j_wss54_revised.patch
        19 kB
        Colm O hEigeartaigh

        Issue Links

          Activity

          Bob Coss created issue -
          Davanum Srinivas made changes -
          Field Original Value New Value
          Assignee Davanum Srinivas [ dims ]
          Colm O hEigeartaigh made changes -
          Link This issue is duplicated by WSS-98 [ WSS-98 ]
          Colm O hEigeartaigh made changes -
          Attachment wss4j_wss54.patch [ 12380066 ]
          Colm O hEigeartaigh made changes -
          Attachment wss4j_wss54.patch [ 12380066 ]
          Colm O hEigeartaigh made changes -
          Attachment wss4j_wss54_revised.patch [ 12380162 ]
          Fred Dushin made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Fred Dushin made changes -
          Fix Version/s 1.5.4 [ 12313167 ]
          Colm O hEigeartaigh made changes -
          Status Resolved [ 5 ] Closed [ 6 ]

            People

            • Assignee:
              Unassigned
              Reporter:
              Bob Coss
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development