[
https://issues.apache.org/jira/browse/CXF-2150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Kulp reassigned CXF-2150:
--------------------------------
Assignee: Daniel Kulp
> Web service provider using UsernameToken profile should throw an exception if
> SOAP client's password type <> web service provider's.
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-2150
> URL: https://issues.apache.org/jira/browse/CXF-2150
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.1.4
> Environment: Windows XP
> Reporter: Glen Mazza
> Assignee: Daniel Kulp
>
> For WS-Security w/UsernameToken profile (standard method[1], have not tested
> the WS-SecurityPolicy version with CXF 2.2), the web service provider is not
> checking whether the password type being supplied by the client (PW_DIGEST or
> PW_TEXT) matches the type that the web service provider is defined to handle
> in the cxf-servlet.xml file ("PasswordDigest" or "PasswordText"). This
> creates a security problem because PW_TEXT and PW_DIGEST are handled very
> differently[2] on the service side: for the former, the
> ServiceCallbackHandler validates the password, for the latter, the WSS4J/CXF
> runtime does, all the ServiceCallbackHandler does is supply the correct
> password to validate the client's value against.
> Security hole: If the web service provider is programmed to accept DIGEST,
> that means its service-side callback handler will be supplying the correct
> password and will not do any validation or throw any exceptions. If the SOAP
> client sends a PW_TEXT value with *any* password, the DIGEST-designed
> ServiceCallbackHandler will still be called but it won't throw any
> exceptions--i.e., the SOAP call will wrongfully complete and return an answer
> to the client.
> CXF needs to throw an exception if the SOAP client's password type <> the web
> service providers.
> Client side (see [1] for source code):
> outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
> Service's cxf-servlet.xml:
> <entry key="passwordType" value="PasswordDigest"/>
> <!--entry key="passwordType" value="PasswordText"/-->
> [1] http://www.jroller.com/gmazza/entry/using_cxf_and_wss4j_to
> [2]
> http://cwiki.apache.org/CXF20DOC/ws-security.html#WS-Security-UsernameTokenAuthentication
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
