You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Daniel Kulp (JIRA)" <ji...@apache.org> on 2008/02/15 21:42:08 UTC

[jira] Resolved: (CXF-1433) WS-Security vulnerability

     [ https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daniel Kulp resolved CXF-1433.
------------------------------

       Resolution: Fixed
    Fix Version/s: 2.0.5

> WS-Security vulnerability
> -------------------------
>
>                 Key: CXF-1433
>                 URL: https://issues.apache.org/jira/browse/CXF-1433
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.0.3
>         Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
>            Reporter: Loïc FRERING
>            Assignee: Daniel Kulp
>            Priority: Critical
>             Fix For: 2.0.5
>
>         Attachments: cxf-1433-fdushin-2008.02.15.patch
>
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
> 		<jaxws:inInterceptors>
> 			<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> 			<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> 				<constructor-arg>
> 					<map>
> 						<entry key="action" value="UsernameToken"/>
> 						<entry key="passwordType" value="PasswordDigest"/>
> 						<entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> 					</map>
> 				</constructor-arg>
> 			</bean>
> 			<bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> 			<bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> 		</jaxws:inInterceptors>
> 	</jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
> 	<SOAP-ENV:Header>
> 	        <ns0:Security>
>                         <ns0:wsse>Security</ns0:wsse>
>                 </ns0:Security>
>         </SOAP-ENV:Header>
> 	<SOAP-ENV:Body>
>         	<ns0:sayHi>
>                         <name>Loïc</name>
>                 </ns0:sayHi>
>         </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.