[jira] [Commented] (WSS-281) Password set to null in UsernameTokenValidator

Tue, 18 Mar 2014 05:49:35 -0700 

    [ 
https://issues.apache.org/jira/browse/WSS-281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13939143#comment-13939143
 ] 

Colm O hEigeartaigh commented on WSS-281:
-----------------------------------------


The purpose of the UsernameTokenValidator in WSS4J 1.6.x is to ask a 
CallbackHandler for the password corresponding to the given user, and then to 
compare the passwords in the Validator. If you don't like this way of 
validating UsernameTokens, you can easily plug in your own Validator 
implementation to handle things how you prefer. For example, you can use the 
JAASUsernameTokenValidator which simply uses JAAS to validate the 
username/password.

The way WSS4J 1.5.x did validation by handing off the username + password to a 
CallbackHandler was a poor design choice, as it forced the CallbackHandler 
implementor to make security decisions instead of simply retrieving 
usernames/passwords. 

In any case, these decisions were made several years ago now. WSS4J 1.5.x is no 
longer supported. 

Colm.

> Password set to null in UsernameTokenValidator
> ----------------------------------------------
>
>                 Key: WSS-281
>                 URL: https://issues.apache.org/jira/browse/WSS-281
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.6
>         Environment: linux, cxf, jetty 6.10
>            Reporter: Nicolas Poirot
>            Assignee: Colm O hEigeartaigh
>              Labels: UsernameTokenValidator
>
> When trying to do basic authentication in Soap header with UserNameToken, 
> token is well read from XML, but badly passed to password callback.
> Line 165 of org.apache.ws.security.validate.UsernameTokenValidator :
> WSPasswordCallback pwCb = 
>             new WSPasswordCallback(user, null, pwType, 
> WSPasswordCallback.USERNAME_TOKEN, data);
> The password is set to null, while it has been correcty read just before.
> Proposed patch :
> Index: 
> src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java
> ===================================================================
> --- src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java 
> (révision 1098991)
> +++ src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java 
> (copie de travail)
> @@ -163,7 +163,7 @@
>          boolean passwordsAreEncoded = usernameToken.getPasswordsAreEncoded();
>          
>          WSPasswordCallback pwCb = 
> -            new WSPasswordCallback(user, null, pwType, 
> WSPasswordCallback.USERNAME_TOKEN, data);
> +            new WSPasswordCallback(user, password, pwType, 
> WSPasswordCallback.USERNAME_TOKEN, data);
>          try {
>              data.getCallbackHandler().handle(new Callback[]{pwCb});
>          } catch (IOException e) {



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to