[
https://issues.apache.org/jira/browse/WSS-252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12932899#action_12932899
]
Colm O hEigeartaigh commented on WSS-252:
-----------------------------------------
Hi Marek,
Could you be more specific about why you think the code is not thread safe?
When would two threads be going through the UsernameTokenProcessor in parallel?
The processors need to store information about the token they have processed,
as it may be needed by another processor. For example, the SignatureProcessor
might need the UsernameToken processed by the UsernameTokenProcessor in order
to derive a key to verify a Signature.
Note that the processors are loaded per request, it is not the case that a
UsernameTokenProcessor instance processes multiple inbound requests. There is a
JIRA to change this for the next major release
(https://issues.apache.org/jira/browse/WSS-232), but this will require some
thought to ensure that no state persists between requests.
Colm.
> org.apache.ws.security.processor.UsernameTokenProcessor is not thread
> safe/prone to hacker attacks
> --------------------------------------------------------------------------------------------------
>
> Key: WSS-252
> URL: https://issues.apache.org/jira/browse/WSS-252
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.9
> Environment: Any
> Reporter: Marek Cyzio
> Assignee: Colm O hEigeartaigh
> Priority: Critical
>
> The UsernameTokenProcessorshould be thread safe, but it caches the
> UsernameToken (ut) and its ID (utId). This may allow a hacker to access the
> system with incorrect password if two threads happen to go through the code
> in parallel.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
