You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Fred Dushin (JIRA)" <ji...@apache.org> on 2008/02/14 23:29:08 UTC
[jira] Commented: (CXF-1433) WS-Security vulnerability
[ https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569117#action_12569117 ]
Fred Dushin commented on CXF-1433:
----------------------------------
I am unable to reproduce this error in a standalone case.
I will attach a sample program, which illustrates the security interceptors functioning properly. The testcase I am submitting, however, requires using the wget utility (available on most unix systems) to POST a dumy message to the server.
There may still be an issue with CXF deployed in the tomcat container, which we can investigate next.
> WS-Security vulnerability
> -------------------------
>
> Key: CXF-1433
> URL: https://issues.apache.org/jira/browse/CXF-1433
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.0.3
> Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
> Reporter: Loïc FRERING
> Priority: Critical
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordDigest"/>
> <entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> </map>
> </constructor-arg>
> </bean>
> <bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
> <SOAP-ENV:Header>
> <ns0:Security>
> <ns0:wsse>Security</ns0:wsse>
> </ns0:Security>
> </SOAP-ENV:Header>
> <SOAP-ENV:Body>
> <ns0:sayHi>
> <name>Loïc</name>
> </ns0:sayHi>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.