You are viewing a plain text version of this content. The canonical link for it is here.

Posted to wss4j-dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2009/05/06 12:27:30 UTC

[jira] Resolved: (WSS-183) Change the UsernameTokenProcessor to validate plaintext passwords

     [ https://issues.apache.org/jira/browse/WSS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved WSS-183.
-------------------------------------

    Resolution: Fixed

> Change the UsernameTokenProcessor to validate plaintext passwords
> -----------------------------------------------------------------
>
>                 Key: WSS-183
>                 URL: https://issues.apache.org/jira/browse/WSS-183
>             Project: WSS4J
>          Issue Type: Improvement
>    Affects Versions: 1.5.7
>            Reporter: Colm O hEigeartaigh
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.6
>
>
> WSS4J has a long-standing issue where it requires the CallbackHandler implementation to return the password for the password digest case (correct behaviour), and validate the password in the CallbackHandler implementation for the plaintext password case. This latter behaviour is an abuse of the CallbackHandler interface, which was only designed to return a password, not validate it. Secondly, it leads to potential security holes, where developers might not be aware their CallbackHandler implementation needs to explicitly throw an exception for the USERNAME_PASSWORD_UNKNOWN (plaintext or unknown) case if they're only testing for USERNAME_PASSWORD (password digest) callbacks.
> 1.6 gives us the chance to change this as we don't have the constraint of backwards compatibility. The USERNAME_PASSWORD tag now refers to any Username Token that is digested, plaintext, or of password type "null" (default to plaintext as per the spec). For this case, the CallbackHandler is expected to supply the password, and validation takes place in UsernameTokenProcessor. If the user wants to implement custom token handling, the relevant WSSConfig property can be set for a custom password type.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org