[jira] [Commented] (WSS-635) verifyPlaintextPassword bug that can't validate #PasswordText type of plain password

Fri, 16 Nov 2018 02:12:23 -0800 


    [ 
https://issues.apache.org/jira/browse/WSS-635?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16689252#comment-16689252
 ] 

Colm O hEigeartaigh commented on WSS-635:
-----------------------------------------

The logic in verifyDigestPassword works for both plaintext + digest passwords.

The issue is that your CallbackHandler implementation must return the password 
associated with the username. For examples see this test implementation:

https://github.com/apache/wss4j/blob/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/common/UsernamePasswordCallbackHandler.java

> verifyPlaintextPassword bug that can't validate #PasswordText type of plain 
> password
> ------------------------------------------------------------------------------------
>
>                 Key: WSS-635
>                 URL: https://issues.apache.org/jira/browse/WSS-635
>             Project: WSS4J
>          Issue Type: Bug
>    Affects Versions: 2.2.2
>            Reporter: Bin
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>
> When Soap Web Service call produce head like:
> <soap:Header>
> <wsse:Security soap:mustUnderstand="true" 
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>  
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <wsse:UsernameToken wsu:Id="UsernameToken-84B2EED4F9D0F2C33F154231267532210">
> <wsse:Username>test</wsse:Username>
> <wsse:Password 
> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>test$123</wsse:Password>
> <wsse:Nonce 
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>Uh1agPWwwflSLAZNN3/riA==</wsse:Nonce>
> <wsu:Created>2018-11-15T20:11:15.322Z</wsu:Created>
> </wsse:UsernameToken>
> </wsse:Security>
> </soap:Header>
> In org.apache.wss4j.dom.validate.UsernameTokenValidator, 
> verifyPlaintextPassword() calls verifyDigestPassword, which fails above 
> header validation even when I configure a 
> CallbackHandler to validate the username and password, Another issue is that 
> the plain password is not passed in to the callbackHandler. It seems that 
> verifyPlaintextPassword() should not share the verifyDigestPassword() logic.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to