org.apache.ws.security.processor.UsernameTokenProcessor is not thread
safe/prone to hacker attacks
--------------------------------------------------------------------------------------------------
Key: WSS-252
URL: https://issues.apache.org/jira/browse/WSS-252
Project: WSS4J
Issue Type: Bug
Components: WSS4J Handlers
Affects Versions: 1.5.9
Environment: Any
Reporter: Marek Cyzio
Assignee: Colm O hEigeartaigh
Priority: Critical
The UsernameTokenProcessorshould be thread safe, but it caches the
UsernameToken (ut) and its ID (utId). This may allow a hacker to access the
system with incorrect password if two threads happen to go through the code in
parallel.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
