[
https://issues.apache.org/jira/browse/WSS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed WSS-183.
-----------------------------------
> Change the UsernameTokenProcessor to validate plaintext passwords
> -----------------------------------------------------------------
>
> Key: WSS-183
> URL: https://issues.apache.org/jira/browse/WSS-183
> Project: WSS4J
> Issue Type: Improvement
> Affects Versions: 1.5.7
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6
>
>
> WSS4J has a long-standing issue where it requires the CallbackHandler
> implementation to return the password for the password digest case (correct
> behaviour), and validate the password in the CallbackHandler implementation
> for the plaintext password case. This latter behaviour is an abuse of the
> CallbackHandler interface, which was only designed to return a password, not
> validate it. Secondly, it leads to potential security holes, where developers
> might not be aware their CallbackHandler implementation needs to explicitly
> throw an exception for the USERNAME_PASSWORD_UNKNOWN (plaintext or unknown)
> case if they're only testing for USERNAME_PASSWORD (password digest)
> callbacks.
> 1.6 gives us the chance to change this as we don't have the constraint of
> backwards compatibility. The USERNAME_PASSWORD tag now refers to any Username
> Token that is digested, plaintext, or of password type "null" (default to
> plaintext as per the spec). For this case, the CallbackHandler is expected to
> supply the password, and validation takes place in UsernameTokenProcessor. If
> the user wants to implement custom token handling, the relevant WSSConfig
> property can be set for a custom password type.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
