You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Glen Mazza (JIRA)" <ji...@apache.org> on 2009/04/03 02:37:12 UTC

[jira] Created: (CXF-2150) Web service provider using UsernameToken profile should throw an exception if SOAP client's password type <> web service provider's.

Web service provider using UsernameToken profile should throw an exception if SOAP client's password type <> web service provider's.
------------------------------------------------------------------------------------------------------------------------------------

                 Key: CXF-2150
                 URL: https://issues.apache.org/jira/browse/CXF-2150
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.1.4
         Environment: Windows XP
            Reporter: Glen Mazza
             Fix For: 2.1.5


For WS-Security w/UsernameToken profile (standard method[1], have not tested the WS-SecurityPolicy version with CXF 2.2), the web service provider is not checking whether the password type being supplied by the client (PW_DIGEST or PW_TEXT) matches the type that the web service provider is defined to handle in the cxf-servlet.xml file ("PasswordDigest" or "PasswordText").  This creates a security problem because PW_TEXT and PW_DIGEST are handled  very differently[2] on the service side:  for the former, the ServiceCallbackHandler validates the password, for the latter, the WSS4J/CXF runtime does, all the ServiceCallbackHandler does is supply the correct password to validate the client's value against.

Security hole:  If the web service provider is programmed to accept DIGEST, that means its service-side callback handler will be supplying the correct password and will not do any validation or throw any exceptions.  If the SOAP client sends a PW_TEXT value with *any* password, the DIGEST-designed ServiceCallbackHandler will still be called but it won't throw any exceptions--i.e., the SOAP call will wrongfully complete and return an answer to the client.

CXF needs to throw an exception if the SOAP client's password type <> the web service providers.

Client side (see [1] for source code):
        outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);

Service's cxf-servlet.xml:
                  <entry key="passwordType" value="PasswordDigest"/>
                  <!--entry key="passwordType" value="PasswordText"/-->

[1] http://www.jroller.com/gmazza/entry/using_cxf_and_wss4j_to
[2] http://cwiki.apache.org/CXF20DOC/ws-security.html#WS-Security-UsernameTokenAuthentication 


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Assigned: (CXF-2150) Web service provider using UsernameToken profile should throw an exception if SOAP client's password type <> web service provider's.

Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/CXF-2150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daniel Kulp reassigned CXF-2150:
--------------------------------

    Assignee: Daniel Kulp

> Web service provider using UsernameToken profile should throw an exception if SOAP client's password type <> web service provider's.
> ------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-2150
>                 URL: https://issues.apache.org/jira/browse/CXF-2150
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.1.4
>         Environment: Windows XP
>            Reporter: Glen Mazza
>            Assignee: Daniel Kulp
>
> For WS-Security w/UsernameToken profile (standard method[1], have not tested the WS-SecurityPolicy version with CXF 2.2), the web service provider is not checking whether the password type being supplied by the client (PW_DIGEST or PW_TEXT) matches the type that the web service provider is defined to handle in the cxf-servlet.xml file ("PasswordDigest" or "PasswordText").  This creates a security problem because PW_TEXT and PW_DIGEST are handled  very differently[2] on the service side:  for the former, the ServiceCallbackHandler validates the password, for the latter, the WSS4J/CXF runtime does, all the ServiceCallbackHandler does is supply the correct password to validate the client's value against.
> Security hole:  If the web service provider is programmed to accept DIGEST, that means its service-side callback handler will be supplying the correct password and will not do any validation or throw any exceptions.  If the SOAP client sends a PW_TEXT value with *any* password, the DIGEST-designed ServiceCallbackHandler will still be called but it won't throw any exceptions--i.e., the SOAP call will wrongfully complete and return an answer to the client.
> CXF needs to throw an exception if the SOAP client's password type <> the web service providers.
> Client side (see [1] for source code):
>         outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
> Service's cxf-servlet.xml:
>                   <entry key="passwordType" value="PasswordDigest"/>
>                   <!--entry key="passwordType" value="PasswordText"/-->
> [1] http://www.jroller.com/gmazza/entry/using_cxf_and_wss4j_to
> [2] http://cwiki.apache.org/CXF20DOC/ws-security.html#WS-Security-UsernameTokenAuthentication 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (CXF-2150) Web service provider using UsernameToken profile should throw an exception if SOAP client's password type <> web service provider's.

Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/CXF-2150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daniel Kulp updated CXF-2150:
-----------------------------

    Fix Version/s:     (was: 2.1.5)

> Web service provider using UsernameToken profile should throw an exception if SOAP client's password type <> web service provider's.
> ------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-2150
>                 URL: https://issues.apache.org/jira/browse/CXF-2150
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.1.4
>         Environment: Windows XP
>            Reporter: Glen Mazza
>
> For WS-Security w/UsernameToken profile (standard method[1], have not tested the WS-SecurityPolicy version with CXF 2.2), the web service provider is not checking whether the password type being supplied by the client (PW_DIGEST or PW_TEXT) matches the type that the web service provider is defined to handle in the cxf-servlet.xml file ("PasswordDigest" or "PasswordText").  This creates a security problem because PW_TEXT and PW_DIGEST are handled  very differently[2] on the service side:  for the former, the ServiceCallbackHandler validates the password, for the latter, the WSS4J/CXF runtime does, all the ServiceCallbackHandler does is supply the correct password to validate the client's value against.
> Security hole:  If the web service provider is programmed to accept DIGEST, that means its service-side callback handler will be supplying the correct password and will not do any validation or throw any exceptions.  If the SOAP client sends a PW_TEXT value with *any* password, the DIGEST-designed ServiceCallbackHandler will still be called but it won't throw any exceptions--i.e., the SOAP call will wrongfully complete and return an answer to the client.
> CXF needs to throw an exception if the SOAP client's password type <> the web service providers.
> Client side (see [1] for source code):
>         outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
> Service's cxf-servlet.xml:
>                   <entry key="passwordType" value="PasswordDigest"/>
>                   <!--entry key="passwordType" value="PasswordText"/-->
> [1] http://www.jroller.com/gmazza/entry/using_cxf_and_wss4j_to
> [2] http://cwiki.apache.org/CXF20DOC/ws-security.html#WS-Security-UsernameTokenAuthentication 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (CXF-2150) Web service provider using UsernameToken profile should throw an exception if SOAP client's password type <> web service provider's.

Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/CXF-2150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daniel Kulp resolved CXF-2150.
------------------------------

       Resolution: Fixed
    Fix Version/s: 2.2.6
                   2.1.9


Added some checks in CXF, but this really needs to be fixed in wss4j.

> Web service provider using UsernameToken profile should throw an exception if SOAP client's password type <> web service provider's.
> ------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-2150
>                 URL: https://issues.apache.org/jira/browse/CXF-2150
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.1.4
>         Environment: Windows XP
>            Reporter: Glen Mazza
>            Assignee: Daniel Kulp
>             Fix For: 2.1.9, 2.2.6
>
>
> For WS-Security w/UsernameToken profile (standard method[1], have not tested the WS-SecurityPolicy version with CXF 2.2), the web service provider is not checking whether the password type being supplied by the client (PW_DIGEST or PW_TEXT) matches the type that the web service provider is defined to handle in the cxf-servlet.xml file ("PasswordDigest" or "PasswordText").  This creates a security problem because PW_TEXT and PW_DIGEST are handled  very differently[2] on the service side:  for the former, the ServiceCallbackHandler validates the password, for the latter, the WSS4J/CXF runtime does, all the ServiceCallbackHandler does is supply the correct password to validate the client's value against.
> Security hole:  If the web service provider is programmed to accept DIGEST, that means its service-side callback handler will be supplying the correct password and will not do any validation or throw any exceptions.  If the SOAP client sends a PW_TEXT value with *any* password, the DIGEST-designed ServiceCallbackHandler will still be called but it won't throw any exceptions--i.e., the SOAP call will wrongfully complete and return an answer to the client.
> CXF needs to throw an exception if the SOAP client's password type <> the web service providers.
> Client side (see [1] for source code):
>         outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
> Service's cxf-servlet.xml:
>                   <entry key="passwordType" value="PasswordDigest"/>
>                   <!--entry key="passwordType" value="PasswordText"/-->
> [1] http://www.jroller.com/gmazza/entry/using_cxf_and_wss4j_to
> [2] http://cwiki.apache.org/CXF20DOC/ws-security.html#WS-Security-UsernameTokenAuthentication 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.