[jira] [Comment Edited] (CXF-4776) UsernameTokenPolicyValidator does not validate that password is not provided.

Wed, 23 Jan 2013 19:35:16 -0800 

    [ 
https://issues.apache.org/jira/browse/CXF-4776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13561388#comment-13561388
 ] 

Jason Pell edited comment on CXF-4776 at 1/24/13 3:33 AM:
----------------------------------------------------------

This is also the case for the UsernameTokenInterceptor as well.

This seems to be a terrible default stance to take.  Is this not a huge 
security hole?

The wss4j UsernameTokenValidator calls the verifyUnknownPassword when no 
password is provided in the username token.  However I would have thought this 
should not be the default.  If a Password type of NONE was specified then of 
course passwords should not be validated.  But where a password type of Text is 
provided the Password Validator should throw up an error for a missing password.
                
      was (Author: pellcorp):
    This is also the case for the UsernameTokenInterceptor as well.

This seems to be a terrible default stance to take.  Is this not a huge 
security hole?

                  
> UsernameTokenPolicyValidator does not validate that password is not provided.
> -----------------------------------------------------------------------------
>
>                 Key: CXF-4776
>                 URL: https://issues.apache.org/jira/browse/CXF-4776
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.7.2
>            Reporter: Jason Pell
>            Assignee: Jason Pell
>         Attachments: patch.txt, UsernamePasswordPolicy.xml
>
>
> See my attached WS-Policy which I attached via @Policies annotation to 
> Placement.BINDING_OPERATION_INPUT.
> If I include an incorrect Password I get the expected authentication error.  
> If I actually remove the password I get no authentication failure.  The 
> UsernameTokenPolicyValidator only checks that the username is provided.
> I have a simple patch for this but would appreciate some weigh in from 
> ws-policy cxf devs please.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to