You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by "Rami Jaamour (JIRA)" <fx...@ws.apache.org> on 2004/12/20 19:08:14 UTC
[jira] Created: (WSFX-41) WSS4J accepts any username/password if in text mode
WSS4J accepts any username/password if in text mode
---------------------------------------------------
Key: WSFX-41
URL: http://nagoya.apache.org/jira/browse/WSFX-41
Project: WSFX
Type: Bug
Components: WSS4J
Environment: Linux
Reporter: Rami Jaamour
Priority: Critical
It appears to me that WSS4J is now letting requests with the wrong username/password pass through if the password was text (not digested)! Take a look at WSSecurityEngine.handleUsernameToken():
All the username and password stuff are wrapped in
if (ut.isHashed()) {
...
}
but there is no case for when it is not hashed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
[jira] Updated: (WSFX-41) WSS4J accepts any username/password if in text mode
Posted by "Rami Jaamour (JIRA)" <fx...@ws.apache.org>.
[ http://nagoya.apache.org/jira/browse/WSFX-41?page=history ]
Rami Jaamour updated WSFX-41:
-----------------------------
Attachment: WSSecurityEngine.java
diff.txt
I attached a possible fix for your review before I commit it please, because this seems like a major issue that requires more than one person's attention. I am also having it return a failed authentication if PWCallBack returned a null password for the given username to increase security so WSS4J does not reveal the fact that a username does not exist.
> WSS4J accepts any username/password if in text mode
> ---------------------------------------------------
>
> Key: WSFX-41
> URL: http://nagoya.apache.org/jira/browse/WSFX-41
> Project: WSFX
> Type: Bug
> Components: WSS4J
> Environment: Linux
> Reporter: Rami Jaamour
> Priority: Critical
> Attachments: WSSecurityEngine.java, diff.txt
>
> It appears to me that WSS4J is now letting requests with the wrong username/password pass through if the password was text (not digested)! Take a look at WSSecurityEngine.handleUsernameToken():
> All the username and password stuff are wrapped in
> if (ut.isHashed()) {
> ...
> }
> but there is no case for when it is not hashed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
[jira] Resolved: (WSFX-41) WSS4J accepts any username/password if in text mode
Posted by "Werner Dittmann (JIRA)" <fx...@ws.apache.org>.
[ http://issues.apache.org/jira/browse/WSFX-41?page=all ]
Werner Dittmann resolved WSFX-41:
---------------------------------
Resolution: Fixed
Added an enhancement to the callback mechanism to cover
this problem. Pls refer to the WSCallBack javadoc, also
to the callback class used in the interop tests.
> WSS4J accepts any username/password if in text mode
> ---------------------------------------------------
>
> Key: WSFX-41
> URL: http://issues.apache.org/jira/browse/WSFX-41
> Project: WSFX
> Type: Bug
> Components: WSS4J
> Environment: Linux
> Reporter: Rami Jaamour
> Priority: Critical
> Attachments: WSSecurityEngine.java, diff.txt
>
> It appears to me that WSS4J is now letting requests with the wrong username/password pass through if the password was text (not digested)! Take a look at WSSecurityEngine.handleUsernameToken():
> All the username and password stuff are wrapped in
> if (ut.isHashed()) {
> ...
> }
> but there is no case for when it is not hashed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira