AKROUR created CXF-6328:
---------------------------
Summary: Username of UsernameToken is null when it is provided as
in a CDATA section
Key: CXF-6328
URL: https://issues.apache.org/jira/browse/CXF-6328
Project: CXF
Issue Type: Bug
Components: JAX-WS Runtime
Affects Versions: 2.7.14
Environment: Windows
Java 7 SE
Reporter: AKROUR
Priority: Minor
Hello,
A user invoking a WS, cannot be authenticated by a Username Token if its
username is provided in a CDATA section.
For instance, if the user uses the following username token:
{noformat}
<wsse:UsernameToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<wsse:Username><![CDATA[wernerd]]></wsse:Username>
<wsse:Password>verySecret</wsse:Password>
</wsse:UsernameToken>
{noformat}
then the username provided to the UsernameTokenValidator will be 'null' and not
'wernerd'.
The reason is the method nodeString(Element e) of the UsernameToken considers
only node of type TEXT. It should considers CDATA_SECTION_NODE too.
A fix could be something like that:
{noformat}
/**
* Returns the data of an element as String or null if either the the
element
* does not contain a Text node or the node is empty.
*
* @param e DOM element
* @return Element text node data as String
*/
private String nodeString(Element e) {
if (e != null) {
Node node = e.getFirstChild();
StringBuilder builder = new StringBuilder();
boolean found = false;
while (node != null) {
if (Node.TEXT_NODE == node.getNodeType()) {
found = true;
builder.append(((Text)node).getData());
}
// FIX START
else if (Node.CDATA_SECTION_NODE == node.getNodeType()) {
found = true;
builder.append(((CDATASection)node).getData());
}
// FIX END
node = node.getNextSibling();
}
if (!found) {
return null;
}
return builder.toString();
}
return null;
}
{noformat}
A workaround is not to send the username in CDATA.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
