You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Martijn Brinkers (JIRA)" <ji...@apache.org> on 2008/09/17 14:27:44 UTC
[jira] Created: (WSS-141) handleUsernameToken gives too much
information. Can be used to deternine if a username exists or not
handleUsernameToken gives too much information. Can be used to deternine if a username exists or not
----------------------------------------------------------------------------------------------------
Key: WSS-141
URL: https://issues.apache.org/jira/browse/WSS-141
Project: WSS4J
Issue Type: Bug
Reporter: Martijn Brinkers
Assignee: Ruchith Udayanga Fernando
I am using WSS4J with CXF to authenticate a soap connection.
If digest password mode is used and the user name is known the password is set and WSS handles the calculation of the digest. Example:
if (pc.getIdentifer().equals(username))
{
/*
* set the password on the callback. This will be compared to the
* password which was sent from the client.
*/
pc.setPassword(password);
}
Now what should be done when the user name does not match any known user? If you do not set the passsword an exception will be thrown (see below) containing something like : "Callback supplied no password for: adminX".
The behavior of the authentication handler is different for a known user than for an unknown user. This makes it easy for an attacker to determine valid user names.
I saw a related message from 2005 (see http://www.mail-archive.com/fx-dev@ws.apache.org/msg00044.html) but it appears it has not been fixed.
Stack trace:
INFO: Interceptor has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: General security error (WSSecurityEngine: Callback supplied no password for: adminm)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:398)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:247)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:65)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:78)
at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:278)
at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:252)
at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:70)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:324)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:842)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:648)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450)
Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: Callback supplied no password for: adminm)
at org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:124)
at org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:53)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:153)
... 17 more
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Resolved: (WSS-141) handleUsernameToken gives too much
information. Can be used to deternine if a username exists or not
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved WSS-141.
-------------------------------------
Resolution: Fixed
> handleUsernameToken gives too much information. Can be used to deternine if a username exists or not
> ----------------------------------------------------------------------------------------------------
>
> Key: WSS-141
> URL: https://issues.apache.org/jira/browse/WSS-141
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.4
> Reporter: Martijn Brinkers
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.5
>
>
> I am using WSS4J with CXF to authenticate a soap connection.
> If digest password mode is used and the user name is known the password is set and WSS handles the calculation of the digest. Example:
> if (pc.getIdentifer().equals(username))
> {
> /*
> * set the password on the callback. This will be compared to the
> * password which was sent from the client.
> */
> pc.setPassword(password);
> }
> Now what should be done when the user name does not match any known user? If you do not set the passsword an exception will be thrown (see below) containing something like : "Callback supplied no password for: adminX".
> The behavior of the authentication handler is different for a known user than for an unknown user. This makes it easy for an attacker to determine valid user names.
> I saw a related message from 2005 (see http://www.mail-archive.com/fx-dev@ws.apache.org/msg00044.html) but it appears it has not been fixed.
>
> Stack trace:
> INFO: Interceptor has thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: General security error (WSSecurityEngine: Callback supplied no password for: adminm)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:398)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:247)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:65)
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220)
> at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:78)
> at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:278)
> at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:252)
> at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:70)
> at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
> at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
> at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
> at org.mortbay.jetty.Server.handle(Server.java:324)
> at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
> at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:842)
> at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:648)
> at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
> at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
> at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
> at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450)
> Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: Callback supplied no password for: adminm)
> at org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:124)
> at org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:53)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:153)
> ... 17 more
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Closed: (WSS-141) handleUsernameToken gives too much
information. Can be used to deternine if a username exists or not
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed WSS-141.
-----------------------------------
> handleUsernameToken gives too much information. Can be used to deternine if a username exists or not
> ----------------------------------------------------------------------------------------------------
>
> Key: WSS-141
> URL: https://issues.apache.org/jira/browse/WSS-141
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.4
> Reporter: Martijn Brinkers
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.5
>
>
> I am using WSS4J with CXF to authenticate a soap connection.
> If digest password mode is used and the user name is known the password is set and WSS handles the calculation of the digest. Example:
> if (pc.getIdentifer().equals(username))
> {
> /*
> * set the password on the callback. This will be compared to the
> * password which was sent from the client.
> */
> pc.setPassword(password);
> }
> Now what should be done when the user name does not match any known user? If you do not set the passsword an exception will be thrown (see below) containing something like : "Callback supplied no password for: adminX".
> The behavior of the authentication handler is different for a known user than for an unknown user. This makes it easy for an attacker to determine valid user names.
> I saw a related message from 2005 (see http://www.mail-archive.com/fx-dev@ws.apache.org/msg00044.html) but it appears it has not been fixed.
>
> Stack trace:
> INFO: Interceptor has thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: General security error (WSSecurityEngine: Callback supplied no password for: adminm)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:398)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:247)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:65)
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220)
> at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:78)
> at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:278)
> at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:252)
> at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:70)
> at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
> at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
> at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
> at org.mortbay.jetty.Server.handle(Server.java:324)
> at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
> at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:842)
> at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:648)
> at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
> at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
> at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
> at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450)
> Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: Callback supplied no password for: adminm)
> at org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:124)
> at org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:53)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:153)
> ... 17 more
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Assigned: (WSS-141) handleUsernameToken gives too much
information. Can be used to deternine if a username exists or not
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh reassigned WSS-141:
---------------------------------------
Assignee: Colm O hEigeartaigh (was: Ruchith Udayanga Fernando)
> handleUsernameToken gives too much information. Can be used to deternine if a username exists or not
> ----------------------------------------------------------------------------------------------------
>
> Key: WSS-141
> URL: https://issues.apache.org/jira/browse/WSS-141
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.4
> Reporter: Martijn Brinkers
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.5
>
>
> I am using WSS4J with CXF to authenticate a soap connection.
> If digest password mode is used and the user name is known the password is set and WSS handles the calculation of the digest. Example:
> if (pc.getIdentifer().equals(username))
> {
> /*
> * set the password on the callback. This will be compared to the
> * password which was sent from the client.
> */
> pc.setPassword(password);
> }
> Now what should be done when the user name does not match any known user? If you do not set the passsword an exception will be thrown (see below) containing something like : "Callback supplied no password for: adminX".
> The behavior of the authentication handler is different for a known user than for an unknown user. This makes it easy for an attacker to determine valid user names.
> I saw a related message from 2005 (see http://www.mail-archive.com/fx-dev@ws.apache.org/msg00044.html) but it appears it has not been fixed.
>
> Stack trace:
> INFO: Interceptor has thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: General security error (WSSecurityEngine: Callback supplied no password for: adminm)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:398)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:247)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:65)
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220)
> at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:78)
> at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:278)
> at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:252)
> at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:70)
> at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
> at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
> at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
> at org.mortbay.jetty.Server.handle(Server.java:324)
> at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
> at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:842)
> at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:648)
> at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
> at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
> at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
> at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450)
> Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: Callback supplied no password for: adminm)
> at org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:124)
> at org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:53)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:153)
> ... 17 more
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-141) handleUsernameToken gives too much
information. Can be used to deternine if a username exists or not
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-141:
------------------------------------
Fix Version/s: 1.5.5
Affects Version/s: 1.5.4
> handleUsernameToken gives too much information. Can be used to deternine if a username exists or not
> ----------------------------------------------------------------------------------------------------
>
> Key: WSS-141
> URL: https://issues.apache.org/jira/browse/WSS-141
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.4
> Reporter: Martijn Brinkers
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.5
>
>
> I am using WSS4J with CXF to authenticate a soap connection.
> If digest password mode is used and the user name is known the password is set and WSS handles the calculation of the digest. Example:
> if (pc.getIdentifer().equals(username))
> {
> /*
> * set the password on the callback. This will be compared to the
> * password which was sent from the client.
> */
> pc.setPassword(password);
> }
> Now what should be done when the user name does not match any known user? If you do not set the passsword an exception will be thrown (see below) containing something like : "Callback supplied no password for: adminX".
> The behavior of the authentication handler is different for a known user than for an unknown user. This makes it easy for an attacker to determine valid user names.
> I saw a related message from 2005 (see http://www.mail-archive.com/fx-dev@ws.apache.org/msg00044.html) but it appears it has not been fixed.
>
> Stack trace:
> INFO: Interceptor has thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: General security error (WSSecurityEngine: Callback supplied no password for: adminm)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:398)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:247)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:65)
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220)
> at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:78)
> at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:278)
> at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:252)
> at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:70)
> at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
> at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
> at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
> at org.mortbay.jetty.Server.handle(Server.java:324)
> at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
> at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:842)
> at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:648)
> at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
> at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
> at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
> at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450)
> Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: Callback supplied no password for: adminm)
> at org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:124)
> at org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:53)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311)
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:153)
> ... 17 more
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org