You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Werner Dittmann (JIRA)" <ji...@apache.org> on 2008/07/01 09:33:45 UTC
[jira] Commented: (WSS-130) WSSecutityEngine does not validate
UsernameToken in Soap header
[ https://issues.apache.org/jira/browse/WSS-130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12609479#action_12609479 ]
Werner Dittmann commented on WSS-130:
-------------------------------------
Just to make it more precise:
- the WSSecurityEngine checks the fully qualified names and performs actions only if the fully
qualified name matches with names defined in the OASIS WSS specifications. Thus WSSecurityEngine
never calls a password callback if it cannot find a match.
- The wss4J handler are the part that control the message flow, call the WSS4J security library and check if
results match the expected results. Thus the problem described by Rick is most probably in the WS handler
parts (checkReceiverResults(...) for example.
Rick, can you try to put in some debug statements in WSDoAllReceiver(...) and WSHandler(....) at or around
the places where checkReceiverResults(...) is called or implemented? That would help us to fix the problem.
Thanks,
Werner
> WSSecutityEngine does not validate UsernameToken in Soap header
> ---------------------------------------------------------------
>
> Key: WSS-130
> URL: https://issues.apache.org/jira/browse/WSS-130
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.2
> Environment: Any
> Reporter: Rick Duckworth
> Assignee: Ruchith Udayanga Fernando
>
> WSS4J does not validate the UsernameToken in the SOAP header of a request. Consider the following SOAP message...
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsu:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-802441115">
> <wsse:Username>user</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
> </wsu:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> <getAlertTemplates xmlns="http://service.com"></getAlertTemplates>
> </soapenv:Body>
> </soapenv:Envelope>
> Notice the incorrect namespace on the UsernameToken. It should be wsse:UsernameToken rather than wsu:UsernameToken. WSS4J will gladly hand this request to the web service without processing the UsernameToken and thus delegating to the CallbackHandler and performing authentication. In addition if the UsernameToken is completely missing the same behavior is observed.
> The problem occurs in WSSecurityEngine.processSecurityHeader(). It gets a reference to the security header node and iterates through each of its children. If the child is an element then it attempts to retrieve a processor for it via WSSConfig.getProcessor(). The problem here is that if the UsernameToken does not follow the OASIS standard then a processor will not be returned and consequently the CallbackHandler that is configured to handle authentication is never called. Similarly it is not called if the UsernameToken is completely missing. It seems that there should be some mechanism to validate the UsernameToken before processing is attempted. If validation fails then the request must fail in a similar fashion as if the entire Security header is missing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org