You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by "Ruchith Udayanga Fernando (JIRA)" <ji...@apache.org> on 2006/08/29 17:12:24 UTC
[jira] Commented: (WSS-54) UsernameTokenProcessor not processing
unhashed UsernameToken
[ http://issues.apache.org/jira/browse/WSS-54?page=comments#action_12431268 ]
Ruchith Udayanga Fernando commented on WSS-54:
----------------------------------------------
Actually the callback handler is called in the case when the password is not a hashed password.
In this case the both username and password values from the UsernameToken element are set in the WSPasswordCallback instance sent into the callback handler. Usage flag of the WSPasswordCallback is set to WSPasswordCallback.USERNAME_TOKEN_UNKNOWN. One can carryout authentication of the user at the callback with this information within the callback handler. See line : 123-136 of UsernameTokenProcessor[1] (svn revision - 438091 - right now).
A simple example of a callback handler implementation can be found here [2]
[1] https://svn.apache.org/repos/asf/webservices/wss4j/trunk/src/org/apache/ws/security/processor/UsernameTokenProcessor.java
[2] https://svn.apache.org/repos/asf/webservices/axis2/trunk/java/modules/integration/test/org/apache/axis2/security/sc/PWCallback.java
> UsernameTokenProcessor not processing unhashed UsernameToken
> ------------------------------------------------------------
>
> Key: WSS-54
> URL: http://issues.apache.org/jira/browse/WSS-54
> Project: WSS4J
> Issue Type: Bug
> Reporter: Bob Coss
> Assigned To: Davanum Srinivas
>
> The UsernameTokenProcessor will not authenticate anything but a UsernameToken that was hashed with a nonce and timestamp. Anything else that is passed to it will create a valid principal regardless of what the implementations password callback handler does. This is creating confusion and preventing WSS4J from being used for anything where the the UsernameToken is passed plainly. It is understood that doing this in a production environment is discouraged, but it is usefull to have this implementation work as expected so that the framework can be experimented with and evaluated.
> Specifically, in UsernameTokenProcessor.java, for a UsernameToken that is not of hashed, nothing is done with the WSPasswordCallback object after the call to the password handler handle method is invoked. Since nothing is done with it, the code drops through and sets up a valid principal with the userid and returns. There is no way to signal a WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org