You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "Nathan Clement (JIRA)" <ji...@apache.org> on 2013/03/05 06:59:13 UTC

[jira] [Updated] (RAMPART-400) PolicyBasedResultsValidator incorrectly rejects hashed passwords

     [ https://issues.apache.org/jira/browse/RAMPART-400?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nathan Clement updated RAMPART-400:
-----------------------------------

    Description: 
As per the mailing list, when a PasswordDigest is used, wssUt.getPassword() returns the hashed password value, and an this exception is thrown, even though the request is valid according to the policy.  The if statement on line 333 of PolicyBasedResultsValidator should be:

{code}
} else if (!ut.isHashPassword() && (wssUt.getPassword() == null ||
          !wssUt.getPasswordType().equals(WSConstants.PASSWORD_TEXT))) {
    throw new RampartException("invalidUsernameTokenType");
{code}

See attached for patch code.

  was:
As per the mailing list, when a PasswordDigest is used, wssUt.getPassword() returns the hashed password value, and an this exception is thrown, even though the request is valid according to the policy.  The if statement on line 333 of PolicyBasedResultsValidator should be:

{code}
} else if (!ut.isHashPassword() && (wssUt.getPassword() == null ||
          !wssUt.getPasswordType().equals(WSConstants.PASSWORD_TEXT))) {
    throw new RampartException("invalidUsernameTokenType");
{code}

    
> PolicyBasedResultsValidator incorrectly rejects hashed passwords
> ----------------------------------------------------------------
>
>                 Key: RAMPART-400
>                 URL: https://issues.apache.org/jira/browse/RAMPART-400
>             Project: Rampart
>          Issue Type: Bug
>    Affects Versions: 1.6.2
>            Reporter: Nathan Clement
>         Attachments: hashed_password.patch
>
>
> As per the mailing list, when a PasswordDigest is used, wssUt.getPassword() returns the hashed password value, and an this exception is thrown, even though the request is valid according to the policy.  The if statement on line 333 of PolicyBasedResultsValidator should be:
> {code}
> } else if (!ut.isHashPassword() && (wssUt.getPassword() == null ||
>           !wssUt.getPasswordType().equals(WSConstants.PASSWORD_TEXT))) {
>     throw new RampartException("invalidUsernameTokenType");
> {code}
> See attached for patch code.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org