Security Vurnability: Plaintext Usertoken Profile
-------------------------------------------------
Key: WSS-98
URL: https://issues.apache.org/jira/browse/WSS-98
Project: WSS4J
Issue Type: Bug
Environment: Apache Axis 1.4 + WSS4J 1.5.3
Reporter: Kenny Moens
Assignee: Ruchith Udayanga Fernando
Priority: Critical
When the username and passwords are passed without digest, no password check is
performed.
This can easily reproduced with the following SOAP Request::
<wsse:UsernameToken>
<wsse:Username>foo</wsse:Username>
<wsse:Password>bar</wsse:Password>
</wsse:UsernameToken>
When looking at the source code the password is in this case never checked.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
