[jira] [Updated] (RAMPART-400) PolicyBasedResultsValidator incorrectly rejects hashed passwords

Mon, 04 Mar 2013 21:59:18 -0800 

     [ 
https://issues.apache.org/jira/browse/RAMPART-400?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nathan Clement updated RAMPART-400:
-----------------------------------

    Description: 
As per the mailing list, when a PasswordDigest is used, wssUt.getPassword() 
returns the hashed password value, and an this exception is thrown, even though 
the request is valid according to the policy.  The if statement on line 333 of 
PolicyBasedResultsValidator should be:

{code}
} else if (!ut.isHashPassword() && (wssUt.getPassword() == null ||
          !wssUt.getPasswordType().equals(WSConstants.PASSWORD_TEXT))) {
    throw new RampartException("invalidUsernameTokenType");
{code}

See attached for patch code.

  was:
As per the mailing list, when a PasswordDigest is used, wssUt.getPassword() 
returns the hashed password value, and an this exception is thrown, even though 
the request is valid according to the policy.  The if statement on line 333 of 
PolicyBasedResultsValidator should be:

{code}
} else if (!ut.isHashPassword() && (wssUt.getPassword() == null ||
          !wssUt.getPasswordType().equals(WSConstants.PASSWORD_TEXT))) {
    throw new RampartException("invalidUsernameTokenType");
{code}

    
> PolicyBasedResultsValidator incorrectly rejects hashed passwords
> ----------------------------------------------------------------
>
>                 Key: RAMPART-400
>                 URL: https://issues.apache.org/jira/browse/RAMPART-400
>             Project: Rampart
>          Issue Type: Bug
>    Affects Versions: 1.6.2
>            Reporter: Nathan Clement
>         Attachments: hashed_password.patch
>
>
> As per the mailing list, when a PasswordDigest is used, wssUt.getPassword() 
> returns the hashed password value, and an this exception is thrown, even 
> though the request is valid according to the policy.  The if statement on 
> line 333 of PolicyBasedResultsValidator should be:
> {code}
> } else if (!ut.isHashPassword() && (wssUt.getPassword() == null ||
>           !wssUt.getPasswordType().equals(WSConstants.PASSWORD_TEXT))) {
>     throw new RampartException("invalidUsernameTokenType");
> {code}
> See attached for patch code.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to