You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by "Kevin Fung (JIRA)" <ji...@apache.org> on 2005/11/16 20:34:31 UTC
[jira] Created: (WSS-25) UsernameToken password is not checked
UsernameToken password is not checked
-------------------------------------
Key: WSS-25
URL: http://issues.apache.org/jira/browse/WSS-25
Project: WSS4J
Type: Bug
Environment: Windows 2000, JDK 1.5.0_05-b05
Reporter: Kevin Fung
Assigned to: Davanum Srinivas
In the handleUsernameToken method in WSSecurityEngine class, the password returned by the password handler is not compared against the password/digest from the UsernameToken. The result is that any password will be accepted.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Closed: (WSS-25) UsernameToken password is not checked
Posted by "Werner Dittmann (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-25?page=all ]
Werner Dittmann closed WSS-25:
------------------------------
Resolution: Won't Fix
Intended behaviour
> UsernameToken password is not checked
> -------------------------------------
>
> Key: WSS-25
> URL: http://issues.apache.org/jira/browse/WSS-25
> Project: WSS4J
> Type: Bug
> Environment: Windows 2000, JDK 1.5.0_05-b05
> Reporter: Kevin Fung
> Assignee: Davanum Srinivas
>
> In the handleUsernameToken method in WSSecurityEngine class, the password returned by the password handler is not compared against the password/digest from the UsernameToken. The result is that any password will be accepted.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-25) UsernameToken password is not checked
Posted by "Werner Dittmann (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-25?page=comments#action_12362944 ]
Werner Dittmann commented on WSS-25:
------------------------------------
Kevin,
yes you are right with respect to JAAS and the
overall callback semantic. When we introduced
this specific behaviour we explicitly stated that
we deviate here from the JAAS meaning. This is mainly
because the handler cannot check the password in every
case because password type text is often used to transport
password data transparently that is passed forward to
the service (we had several discussions here on
the list about that). Also the WSS spec allows to
introduce own password type attributes.
Thus we went on and said: well, the handler calls the
callback method but with a specific usage type and the
actual password type data. The callback implementation
may now, based on the usage type and password type,
decide what to do and may perform the check on
its own and throw an exception if something is
wrong.
Regards,
Werner
> UsernameToken password is not checked
> -------------------------------------
>
> Key: WSS-25
> URL: http://issues.apache.org/jira/browse/WSS-25
> Project: WSS4J
> Type: Bug
> Environment: Windows 2000, JDK 1.5.0_05-b05
> Reporter: Kevin Fung
> Assignee: Davanum Srinivas
>
> In the handleUsernameToken method in WSSecurityEngine class, the password returned by the password handler is not compared against the password/digest from the UsernameToken. The result is that any password will be accepted.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-25) UsernameToken password is not checked
Posted by "Kevin Fung (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-25?page=comments#action_12357892 ]
Kevin Fung commented on WSS-25:
-------------------------------
I used both password text and digest. Digest was checked, but text was not. I see your point, but I think the convension of JAAS CallbackHandler is to provide the password to the PasswordCallback. The application (WSSecurityEngine in this case) performs the validation, similar to the way that password digest is handled.
Regards,
Kevin
> UsernameToken password is not checked
> -------------------------------------
>
> Key: WSS-25
> URL: http://issues.apache.org/jira/browse/WSS-25
> Project: WSS4J
> Type: Bug
> Environment: Windows 2000, JDK 1.5.0_05-b05
> Reporter: Kevin Fung
> Assignee: Davanum Srinivas
>
> In the handleUsernameToken method in WSSecurityEngine class, the password returned by the password handler is not compared against the password/digest from the UsernameToken. The result is that any password will be accepted.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Closed: (WSS-25) UsernameToken password is not checked
Posted by "Werner Dittmann (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-25?page=all ]
Werner Dittmann closed WSS-25:
------------------------------
Resolution: Won't Fix
Intended behaviour
> UsernameToken password is not checked
> -------------------------------------
>
> Key: WSS-25
> URL: http://issues.apache.org/jira/browse/WSS-25
> Project: WSS4J
> Type: Bug
> Environment: Windows 2000, JDK 1.5.0_05-b05
> Reporter: Kevin Fung
> Assignee: Davanum Srinivas
>
> In the handleUsernameToken method in WSSecurityEngine class, the password returned by the password handler is not compared against the password/digest from the UsernameToken. The result is that any password will be accepted.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-25) UsernameToken password is not checked
Posted by "Werner Dittmann (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-25?page=comments#action_12357854 ]
Werner Dittmann commented on WSS-25:
------------------------------------
Which password type do you use? If you use the digest password type
then the digest will be computed and checked. Other passwords are
not checked by the usernametoken handler but could be checked by
the password callback itself. This is because only the handling of digested
passwords is specified and thus can be processed within the handler.
Regards,
Werner
> UsernameToken password is not checked
> -------------------------------------
>
> Key: WSS-25
> URL: http://issues.apache.org/jira/browse/WSS-25
> Project: WSS4J
> Type: Bug
> Environment: Windows 2000, JDK 1.5.0_05-b05
> Reporter: Kevin Fung
> Assignee: Davanum Srinivas
>
> In the handleUsernameToken method in WSSecurityEngine class, the password returned by the password handler is not compared against the password/digest from the UsernameToken. The result is that any password will be accepted.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-25) UsernameToken password is not checked
Posted by "Werner Dittmann (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-25?page=comments#action_12362944 ]
Werner Dittmann commented on WSS-25:
------------------------------------
Kevin,
yes you are right with respect to JAAS and the
overall callback semantic. When we introduced
this specific behaviour we explicitly stated that
we deviate here from the JAAS meaning. This is mainly
because the handler cannot check the password in every
case because password type text is often used to transport
password data transparently that is passed forward to
the service (we had several discussions here on
the list about that). Also the WSS spec allows to
introduce own password type attributes.
Thus we went on and said: well, the handler calls the
callback method but with a specific usage type and the
actual password type data. The callback implementation
may now, based on the usage type and password type,
decide what to do and may perform the check on
its own and throw an exception if something is
wrong.
Regards,
Werner
> UsernameToken password is not checked
> -------------------------------------
>
> Key: WSS-25
> URL: http://issues.apache.org/jira/browse/WSS-25
> Project: WSS4J
> Type: Bug
> Environment: Windows 2000, JDK 1.5.0_05-b05
> Reporter: Kevin Fung
> Assignee: Davanum Srinivas
>
> In the handleUsernameToken method in WSSecurityEngine class, the password returned by the password handler is not compared against the password/digest from the UsernameToken. The result is that any password will be accepted.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-25) UsernameToken password is not checked
Posted by "Kevin Fung (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-25?page=comments#action_12357892 ]
Kevin Fung commented on WSS-25:
-------------------------------
I used both password text and digest. Digest was checked, but text was not. I see your point, but I think the convension of JAAS CallbackHandler is to provide the password to the PasswordCallback. The application (WSSecurityEngine in this case) performs the validation, similar to the way that password digest is handled.
Regards,
Kevin
> UsernameToken password is not checked
> -------------------------------------
>
> Key: WSS-25
> URL: http://issues.apache.org/jira/browse/WSS-25
> Project: WSS4J
> Type: Bug
> Environment: Windows 2000, JDK 1.5.0_05-b05
> Reporter: Kevin Fung
> Assignee: Davanum Srinivas
>
> In the handleUsernameToken method in WSSecurityEngine class, the password returned by the password handler is not compared against the password/digest from the UsernameToken. The result is that any password will be accepted.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-25) UsernameToken password is not checked
Posted by "Werner Dittmann (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-25?page=comments#action_12357854 ]
Werner Dittmann commented on WSS-25:
------------------------------------
Which password type do you use? If you use the digest password type
then the digest will be computed and checked. Other passwords are
not checked by the usernametoken handler but could be checked by
the password callback itself. This is because only the handling of digested
passwords is specified and thus can be processed within the handler.
Regards,
Werner
> UsernameToken password is not checked
> -------------------------------------
>
> Key: WSS-25
> URL: http://issues.apache.org/jira/browse/WSS-25
> Project: WSS4J
> Type: Bug
> Environment: Windows 2000, JDK 1.5.0_05-b05
> Reporter: Kevin Fung
> Assignee: Davanum Srinivas
>
> In the handleUsernameToken method in WSSecurityEngine class, the password returned by the password handler is not compared against the password/digest from the UsernameToken. The result is that any password will be accepted.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org