You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Brian Bonner <bk...@gmail.com> on 2006/05/08 17:50:08 UTC
Plaintext Password
The callback handler for Passwords is called for both the Plaintext
and the Digest scenarios.
However, it appears that only in the Digest scenario are the passwords
checked with one another. This doesn't seem to be consistent.
If the password returned for plaintext authentication doesn't match
the password being sent in on the request, shouldn't a
WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
also be thrown?
I believe this is happening because of the following:
1. The UsernameToken has:
protected boolean hashed = true;
so the default is that the CallbackHandler is called regardless of if
it's Plaintext or Digest.
Second, this agrees with the specification of WSHandlerConstants which
state that the Default is PW_DIGEST.
Yet according to this documentation (line 173 on page 9). PW_TEXT
should be the default.
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf
I realize that for WSS4J the desire is to have people use Digest
authentication by default, but this can cause confusion with people
who are new to WSS4J and sending requests in using plaintext over SSL
connections.
2. The UsernameTokenProcessor only hits the callback if the
usernameToken is hashed.
Based on this it appears that the original intent was that the
CallbackHandler would only be for Digest passwords.
This would also seem to indicate that the CallbackHandler is not the
place to call a login module to verify that the user is authenticated.
To me, this is confusing.
This can probably be fixed by changing hashed = false. and changing
the WSHandlerConstant docs, which would make it more consistent with
the OASIS docs. But it seems like there is an opportunity to hook
into a login module here for security purposes.
Thanks,
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Plaintext Password
Posted by Brian Bonner <bk...@gmail.com>.
Werner, can you point me to a link to find this? I can't find
anything that describes the reason behind the behavior
I've searched here:
http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ?highlight=%28wss4j%29
Thanks.
On 5/8/06, Werner Dittmann <We...@t-online.de> wrote:
> Please have a look at WSS4J Wiki - there is a explanation of
> this behavior and the reason behind.
>
> Regards,
> Werner
>
> Brian Bonner wrote:
> > The callback handler for Passwords is called for both the Plaintext
> > and the Digest scenarios.
> >
> > However, it appears that only in the Digest scenario are the passwords
> > checked with one another. This doesn't seem to be consistent.
> >
> > If the password returned for plaintext authentication doesn't match
> > the password being sent in on the request, shouldn't a
> >
> > WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
> >
> > also be thrown?
> >
> >
> > I believe this is happening because of the following:
> >
> > 1. The UsernameToken has:
> >
> > protected boolean hashed = true;
> >
> > so the default is that the CallbackHandler is called regardless of if
> > it's Plaintext or Digest.
> >
> > Second, this agrees with the specification of WSHandlerConstants which
> > state that the Default is PW_DIGEST.
> >
> > Yet according to this documentation (line 173 on page 9). PW_TEXT
> > should be the default.
> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf
> >
> >
> > I realize that for WSS4J the desire is to have people use Digest
> > authentication by default, but this can cause confusion with people
> > who are new to WSS4J and sending requests in using plaintext over SSL
> > connections.
> >
> > 2. The UsernameTokenProcessor only hits the callback if the
> > usernameToken is hashed.
> >
> > Based on this it appears that the original intent was that the
> > CallbackHandler would only be for Digest passwords.
> >
> > This would also seem to indicate that the CallbackHandler is not the
> > place to call a login module to verify that the user is authenticated.
> >
> > To me, this is confusing.
> >
> >
> > This can probably be fixed by changing hashed = false. and changing
> > the WSHandlerConstant docs, which would make it more consistent with
> > the OASIS docs. But it seems like there is an opportunity to hook
> > into a login module here for security purposes.
> >
> > Thanks,
> >
> > Brian
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Plaintext Password
Posted by Brian Bonner <bk...@gmail.com>.
Werner, can you point me to a link to find this? I can't find
anything that describes the reason behind the behavior
I've searched here:
http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ?highlight=%28wss4j%29
Thanks.
On 5/8/06, Werner Dittmann <We...@t-online.de> wrote:
> Please have a look at WSS4J Wiki - there is a explanation of
> this behavior and the reason behind.
>
> Regards,
> Werner
>
> Brian Bonner wrote:
> > The callback handler for Passwords is called for both the Plaintext
> > and the Digest scenarios.
> >
> > However, it appears that only in the Digest scenario are the passwords
> > checked with one another. This doesn't seem to be consistent.
> >
> > If the password returned for plaintext authentication doesn't match
> > the password being sent in on the request, shouldn't a
> >
> > WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
> >
> > also be thrown?
> >
> >
> > I believe this is happening because of the following:
> >
> > 1. The UsernameToken has:
> >
> > protected boolean hashed = true;
> >
> > so the default is that the CallbackHandler is called regardless of if
> > it's Plaintext or Digest.
> >
> > Second, this agrees with the specification of WSHandlerConstants which
> > state that the Default is PW_DIGEST.
> >
> > Yet according to this documentation (line 173 on page 9). PW_TEXT
> > should be the default.
> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf
> >
> >
> > I realize that for WSS4J the desire is to have people use Digest
> > authentication by default, but this can cause confusion with people
> > who are new to WSS4J and sending requests in using plaintext over SSL
> > connections.
> >
> > 2. The UsernameTokenProcessor only hits the callback if the
> > usernameToken is hashed.
> >
> > Based on this it appears that the original intent was that the
> > CallbackHandler would only be for Digest passwords.
> >
> > This would also seem to indicate that the CallbackHandler is not the
> > place to call a login module to verify that the user is authenticated.
> >
> > To me, this is confusing.
> >
> >
> > This can probably be fixed by changing hashed = false. and changing
> > the WSHandlerConstant docs, which would make it more consistent with
> > the OASIS docs. But it seems like there is an opportunity to hook
> > into a login module here for security purposes.
> >
> > Thanks,
> >
> > Brian
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Plaintext Password
Posted by Werner Dittmann <We...@t-online.de>.
Please have a look at WSS4J Wiki - there is a explanation of
this behavior and the reason behind.
Regards,
Werner
Brian Bonner wrote:
> The callback handler for Passwords is called for both the Plaintext
> and the Digest scenarios.
>
> However, it appears that only in the Digest scenario are the passwords
> checked with one another. This doesn't seem to be consistent.
>
> If the password returned for plaintext authentication doesn't match
> the password being sent in on the request, shouldn't a
>
> WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
>
> also be thrown?
>
>
> I believe this is happening because of the following:
>
> 1. The UsernameToken has:
>
> protected boolean hashed = true;
>
> so the default is that the CallbackHandler is called regardless of if
> it's Plaintext or Digest.
>
> Second, this agrees with the specification of WSHandlerConstants which
> state that the Default is PW_DIGEST.
>
> Yet according to this documentation (line 173 on page 9). PW_TEXT
> should be the default.
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf
>
>
> I realize that for WSS4J the desire is to have people use Digest
> authentication by default, but this can cause confusion with people
> who are new to WSS4J and sending requests in using plaintext over SSL
> connections.
>
> 2. The UsernameTokenProcessor only hits the callback if the
> usernameToken is hashed.
>
> Based on this it appears that the original intent was that the
> CallbackHandler would only be for Digest passwords.
>
> This would also seem to indicate that the CallbackHandler is not the
> place to call a login module to verify that the user is authenticated.
>
> To me, this is confusing.
>
>
> This can probably be fixed by changing hashed = false. and changing
> the WSHandlerConstant docs, which would make it more consistent with
> the OASIS docs. But it seems like there is an opportunity to hook
> into a login module here for security purposes.
>
> Thanks,
>
> Brian
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Plaintext Password
Posted by Werner Dittmann <We...@t-online.de>.
Please have a look at WSS4J Wiki - there is a explanation of
this behavior and the reason behind.
Regards,
Werner
Brian Bonner wrote:
> The callback handler for Passwords is called for both the Plaintext
> and the Digest scenarios.
>
> However, it appears that only in the Digest scenario are the passwords
> checked with one another. This doesn't seem to be consistent.
>
> If the password returned for plaintext authentication doesn't match
> the password being sent in on the request, shouldn't a
>
> WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
>
> also be thrown?
>
>
> I believe this is happening because of the following:
>
> 1. The UsernameToken has:
>
> protected boolean hashed = true;
>
> so the default is that the CallbackHandler is called regardless of if
> it's Plaintext or Digest.
>
> Second, this agrees with the specification of WSHandlerConstants which
> state that the Default is PW_DIGEST.
>
> Yet according to this documentation (line 173 on page 9). PW_TEXT
> should be the default.
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf
>
>
> I realize that for WSS4J the desire is to have people use Digest
> authentication by default, but this can cause confusion with people
> who are new to WSS4J and sending requests in using plaintext over SSL
> connections.
>
> 2. The UsernameTokenProcessor only hits the callback if the
> usernameToken is hashed.
>
> Based on this it appears that the original intent was that the
> CallbackHandler would only be for Digest passwords.
>
> This would also seem to indicate that the CallbackHandler is not the
> place to call a login module to verify that the user is authenticated.
>
> To me, this is confusing.
>
>
> This can probably be fixed by changing hashed = false. and changing
> the WSHandlerConstant docs, which would make it more consistent with
> the OASIS docs. But it seems like there is an opportunity to hook
> into a login module here for security purposes.
>
> Thanks,
>
> Brian
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org