You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2015/04/03 15:23:53 UTC

[jira] [Assigned] (CXF-6328) Username of UsernameToken is null when it is provided as in a CDATA section

     [ https://issues.apache.org/jira/browse/CXF-6328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh reassigned CXF-6328:
----------------------------------------

    Assignee: Colm O hEigeartaigh

> Username of UsernameToken is null when it is provided as in a CDATA section
> ---------------------------------------------------------------------------
>
>                 Key: CXF-6328
>                 URL: https://issues.apache.org/jira/browse/CXF-6328
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-WS Runtime
>    Affects Versions: 2.7.14
>         Environment: Windows 
> Java 7 SE
>            Reporter: AKROUR
>            Assignee: Colm O hEigeartaigh
>            Priority: Minor
>             Fix For: 3.1.0
>
>
> Hello,
> A user invoking a WS, cannot be authenticated by a Username Token if its username is provided in a CDATA section.
> For instance, if the user uses the following username token:
> {noformat}
> <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>    <wsse:Username><![CDATA[wernerd]]></wsse:Username>
>    <wsse:Password>verySecret</wsse:Password>
> </wsse:UsernameToken>
> {noformat}
> then the username provided to the UsernameTokenValidator will be 'null' and not 'wernerd'.
> The reason is the method nodeString(Element e) of the UsernameToken considers only node of type TEXT. It should considers CDATA_SECTION_NODE too.
> A fix could be something like that:
> {noformat}
>     /**
>      * Returns the data of an element as String or null if either the the element
>      * does not contain a Text node or the node is empty.
>      *
>      * @param e DOM element
>      * @return Element text node data as String
>      */
>     private String nodeString(Element e) {
>         if (e != null) {
>             Node node = e.getFirstChild();
>             StringBuilder builder = new StringBuilder();
>             boolean found = false;
>             while (node != null) {
>                 if (Node.TEXT_NODE == node.getNodeType()) {
>                     found = true;
>                     builder.append(((Text)node).getData());
>                 } 
> // FIX START                
>                 else if (Node.CDATA_SECTION_NODE == node.getNodeType()) {
>                     found = true;
>                     builder.append(((CDATASection)node).getData());
>                 }
> // FIX END
>                 node = node.getNextSibling();
>             }
>            if (!found) {
>                 return null;
>             }
>             return builder.toString();
>         }
>         return null;
>     }
> {noformat}
> A workaround is not to send the username in CDATA.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)