You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Glen Mazza (JIRA)" <ji...@apache.org> on 2013/01/24 18:19:13 UTC
[jira] [Commented] (CXF-4776) UsernameTokenValidator do not
validate that password is not provided.
[ https://issues.apache.org/jira/browse/CXF-4776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13561773#comment-13561773 ]
Glen Mazza commented on CXF-4776:
---------------------------------
Note there may be other circumstances, like situation #2 here (UsernameToken w/password derived key: http://www.jroller.com/gmazza/date/20121220), where a password is not supplied with the username and also where it does not appear any password type is provided. Make sure any solution you propose will still work with this case.
> UsernameTokenValidator do not validate that password is not provided.
> ---------------------------------------------------------------------
>
> Key: CXF-4776
> URL: https://issues.apache.org/jira/browse/CXF-4776
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.2
> Reporter: Jason Pell
> Assignee: Jason Pell
> Fix For: 2.7.3
>
> Attachments: UsernamePasswordPolicy.xml
>
>
> This is an issue for both WS-Policy and WSS4JInInterceptor configuration.
> If I include an incorrect Password I get the expected authentication error. If I actually remove the password I get no authentication failure. The UsernameTokenValidator only checks that the username is provided.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira