[
https://issues.apache.org/jira/browse/WSS-54?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed WSS-54.
----------------------------------
> UsernameTokenProcessor not processing unhashed UsernameToken
> ------------------------------------------------------------
>
> Key: WSS-54
> URL: https://issues.apache.org/jira/browse/WSS-54
> Project: WSS4J
> Issue Type: Bug
> Reporter: Bob Coss
> Fix For: 1.5.4
>
> Attachments: wss4j_wss54_revised.patch
>
>
> The UsernameTokenProcessor will not authenticate anything but a UsernameToken
> that was hashed with a nonce and timestamp. Anything else that is passed to
> it will create a valid principal regardless of what the implementations
> password callback handler does. This is creating confusion and preventing
> WSS4J from being used for anything where the the UsernameToken is passed
> plainly. It is understood that doing this in a production environment is
> discouraged, but it is usefull to have this implementation work as expected
> so that the framework can be experimented with and evaluated.
> Specifically, in UsernameTokenProcessor.java, for a UsernameToken that is not
> of hashed, nothing is done with the WSPasswordCallback object after the call
> to the password handler handle method is invoked. Since nothing is done with
> it, the code drops through and sets up a valid principal with the userid and
> returns. There is no way to signal a
> WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
