Bin created WSS-635:
-----------------------
Summary: verifyPlaintextPassword bug that can't validate
#PasswordText type of plain password
Key: WSS-635
URL: https://issues.apache.org/jira/browse/WSS-635
Project: WSS4J
Issue Type: Bug
Affects Versions: 2.2.2
Reporter: Bin
Assignee: Colm O hEigeartaigh
When Soap Web Service call produce head like:
<soap:Header>
<wsse:Security soap:mustUnderstand="true"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<wsse:UsernameToken wsu:Id="UsernameToken-84B2EED4F9D0F2C33F154231267532210">
<wsse:Username>test</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>test$123</wsse:Password>
<wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>Uh1agPWwwflSLAZNN3/riA==</wsse:Nonce>
<wsu:Created>2018-11-15T20:11:15.322Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
In org.apache.wss4j.dom.validate.UsernameTokenValidator,
verifyPlaintextPassword() calls verifyDigestPassword, which fails above header
validation even when I configure a
CallbackHandler to validate the username and password, Another issue is that
the plain password is not passed in to the callbackHandler. It seems that
verifyPlaintextPassword() should not share the verifyDigestPassword() logic.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
