Re: why WSPasswordCallback.getPassword is null when I try my soap request

Thu, 09 May 2013 08:44:46 -0700 

On Thu, May 9, 2013 at 12:05 PM, Tania Marinova <taniamm2...@yahoo.com> wrote:
> I tried your code (insted of System.out.println I throw an exception )
>
>
>
>
> public void handle(Callback[] callbacks)   throws IOException,
> UnsupportedCallbackException
>   {
>
>               for (int i = 0; i < callbacks.length; i++) {
>
>
>                   WSPasswordCallback pwcb =
> (WSPasswordCallback)callbacks[i];
>
>
>
>
>
>                   if (pwcb.getUsage()==0)
>                   {
>
>                           try {
>                             throw new Exception("Usage is 0");
>
>                         } catch (Exception e) {
>                             // TODO Auto-generated catch block
>                             e.printStackTrace();
>                         }
>
>                   }
>
>                   else
>                   {
>                         try {
>                             throw new Exception("Usage is: "
> +pwcb.getUsage() );
>
>                         } catch (Exception e) {
>                             // TODO Auto-generated catch block
>                             e.printStackTrace();
>                         }
>
>
>
>                   }
>
>
>                   if (pwcb.getIdentifier()==null)
>                   {
>
>                       pwcb.setPassword("bobPW");
>
>                 }
>
>                   else
>                   {
>                       try {
>                         throw new Exception ("found id, could be used to get
> stored passwod" + pwcb.getIdentifier());
>
>                     } catch (Exception e) {
>                         // TODO Auto-generated catch block
>                         e.printStackTrace();
>                     }
>                   }
>
>
>
>
>
>
>
>
>               }
>           }
>
>       And here is the response
>
>
>
>
>
>
> java.lang.Exception: Usage is: 2
>     at nilo.PWCBHandler.handle(PWCBHandler.java:77)
>
> -----------------------------------------------------------------------------------------
> java.lang.Exception: found id, could be used to get stored passwod: bobWWW
>     at nilo.PWCBHandler.handle(PWCBHandler.java:97)
>     at
> org.apache.rampart.TokenCallbackHandler.handle(TokenCallbackHandler.java:98)
>
> a------------------------------------------------------------------------------------
>
>
> So usage is : 2 and of course it extract the identifier correctly

Well you removed part of my debugging that informed the Callback index
number in the array, its possible there is a different usage number in
each loop if there is more than one Callback - not sure.

Anyways, usage 2 is USERNAME_TOKEN , which explains the null password.
You seem to want usage USERNAME_TOKEN_UNKNOWN = 5 .

Once you get to that point, you still have the hash and salt stored
separate in different columns, bad idea! Google on rainbow tables to
understand the vulnerability.

- R

---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org
For additional commands, e-mail: java-user-h...@axis.apache.org

Reply via email to