Configured WS-Security UsernameToken PasswordDigest accepts PasswordText

Fri, 10 Jul 2009 11:48:00 -0700 

Hello CXF team,

I encountered an unexpected behaviour with UsernameToken Authentication in 
combination with PasswordDigest.
I configured the Server for PasswordDigest Authentication but if a soap message 
comes with PasswordText, the WSS4JInInterceptor does not reject the message at 
all.

The interceptor is configured as followed:

        <jaxws:inInterceptors>
           <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
              <constructor-arg>
                 <map>
                    <entry key="action" value="UsernameToken"/>
                    <entry key="passwordType" value="PasswordDigest"/>
                    <entry key="passwordCallbackRef">
                        <bean class="net.mycompany.ServerPasswordCallback"/>
                    </entry>
                 </map>
              </constructor-arg>
           </bean>
        </jaxws:inInterceptors>


The callback class is coded this way:


    public class ServerPasswordCallback implements CallbackHandler {

        public void handle(Callback[] callbacks) throws IOException, 
UnsupportedCallbackException {

            WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

            if (pc.getIdentifier().equals("joe")) {
                // set the password on the callback. This will be compared to 
the
                // password which was sent from the client.
                pc.setPassword("password");
            }
        }
    }


A soap message is properly accepted, when username and password match in the 
security header, e.g.:

<wsse:Security 
    soapenv:mustUnderstand="1" 
    
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
    <wsse:UsernameToken wsu:Id="UsernameToken-26645183" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
          <wsse:Username>joe</wsse:Username>
          <wsse:Password 
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>TOKwiaeIq5eXw59CwXcPPq6fNus=</wsse:Password>
          <wsse:Nonce>Y42zAhtS1ry70aICCV0S2A==</wsse:Nonce>
          <wsu:Created>2009-07-10T18:22:34.526Z</wsu:Created>
    </wsse:UsernameToken>
</wsse:Security>


and also properly rejected with this configuration if the password digest does 
not fit to the password on the server, e.g.:

<wsse:Security 
    soapenv:mustUnderstand="1" 
    
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
        <wsse:UsernameToken wsu:Id="UsernameToken-31673033" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
             <wsse:Username>joe</wsse:Username>
             <wsse:Password 
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>Xy/lzNLSA0BuoQhlP9KHYd+VopM=</wsse:Password>
             <wsse:Nonce>Ed/Lr7xrP8B80yJp+OsUYA==</wsse:Nonce>
             <wsu:Created>2009-07-10T18:13:29.252Z</wsu:Created>
        </wsse:UsernameToken>
</wsse:Security>


According my understanding a message with any other username token profile 
should be rejected, but the opposit happens.
Any message with username token profile PasswordText is accepted regardless of 
the transmitted username and password.


      <wsse:Security
         
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
         soapenv:mustUnderstand="1">
         <wsse:UsernameToken
            
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
            
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
            wsu:Id="UsernameToken-256294">
            <wsse:Username 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
               notjoe
            </wsse:Username>
            <wsse:Password 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
                   
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>
               otherpassword
            </wsse:Password>
         </wsse:UsernameToken>
      </wsse:Security>


It seems to me, that the WSS4JInInterceptor ignores the configured password 
type at all.
Changing the interceptor config to

        <jaxws:inInterceptors>
           <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
              <constructor-arg>
                 <map>
                    <entry key="action" value="UsernameToken"/>
                    <entry key="passwordType" 
value="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"/>
                    <entry key="passwordCallbackRef">
                        <bean class="net.mycompany.ServerPasswordCallback"/>
                    </entry>
                 </map>
              </constructor-arg>
           </bean>
        </jaxws:inInterceptors>

does not show any change in behaviour. The is still no error about unknown or 
non matching password type.

Do you have idea, how to make CXF rejecting anything else than PasswordDigest?
Or have I missed something in the documentation? 

Regards,
Rick

Reply via email to