You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Rick Duckworth (JIRA)" <ji...@apache.org> on 2008/06/27 16:50:45 UTC
[jira] Created: (WSS-130) WSSecutityEngine does not validate
UsernameToken in Soap header
WSSecutityEngine does not validate UsernameToken in Soap header
---------------------------------------------------------------
Key: WSS-130
URL: https://issues.apache.org/jira/browse/WSS-130
Project: WSS4J
Issue Type: Bug
Components: WSS4J Handlers
Affects Versions: 1.5.2
Environment: Any
Reporter: Rick Duckworth
Assignee: Ruchith Udayanga Fernando
WSS4J does not validate the UsernameToken in the SOAP header of a request. Consider the following SOAP message...
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-802441115">
<wsse:Username>user</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
</wsu:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<getAlertTemplates xmlns="http://service.com"></getAlertTemplates>
</soapenv:Body>
</soapenv:Envelope>
Notice the incorrect namespace on the UsernameToken. It should be wsse:UsernameToken rather than wsu:UsernameToken. WSS4J will gladly hand this request to the web service without processing the UsernameToken and thus delegating to the CallbackHandler and performing authentication. In addition if the UsernameToken is completely missing the same behavior is observed.
The problem occurs in WSSecurityEngine.processSecurityHeader(). It gets a reference to the security header node and iterates through each of its children. If the child is an element then it attempts to retrieve a processor for it via WSSConfig.getProcessor(). The problem here is that if the UsernameToken does not follow the OASIS standard then a processor will not be returned and consequently the CallbackHandler that is configured to handle authentication is never called. Similarly it is not called if the UsernameToken is completely missing. It seems that there should be some mechanism to validate the UsernameToken before processing is attempted. If validation fails then the request must fail in a similar fashion as if the entire Security header is missing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-130) WSSecutityEngine does not validate
UsernameToken in Soap header
Posted by "George Stanchev (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12608845#action_12608845 ]
George Stanchev commented on WSS-130:
-------------------------------------
IMO the issue/case is letting through requests with absent wsse:UsernameToken, not invalid one. When the element namespace doesn't match (as in Rick's case), that element automatically should become transparent/unknown to wss4j and ignored.
> WSSecutityEngine does not validate UsernameToken in Soap header
> ---------------------------------------------------------------
>
> Key: WSS-130
> URL: https://issues.apache.org/jira/browse/WSS-130
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.2
> Environment: Any
> Reporter: Rick Duckworth
> Assignee: Ruchith Udayanga Fernando
>
> WSS4J does not validate the UsernameToken in the SOAP header of a request. Consider the following SOAP message...
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsu:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-802441115">
> <wsse:Username>user</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
> </wsu:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> <getAlertTemplates xmlns="http://service.com"></getAlertTemplates>
> </soapenv:Body>
> </soapenv:Envelope>
> Notice the incorrect namespace on the UsernameToken. It should be wsse:UsernameToken rather than wsu:UsernameToken. WSS4J will gladly hand this request to the web service without processing the UsernameToken and thus delegating to the CallbackHandler and performing authentication. In addition if the UsernameToken is completely missing the same behavior is observed.
> The problem occurs in WSSecurityEngine.processSecurityHeader(). It gets a reference to the security header node and iterates through each of its children. If the child is an element then it attempts to retrieve a processor for it via WSSConfig.getProcessor(). The problem here is that if the UsernameToken does not follow the OASIS standard then a processor will not be returned and consequently the CallbackHandler that is configured to handle authentication is never called. Similarly it is not called if the UsernameToken is completely missing. It seems that there should be some mechanism to validate the UsernameToken before processing is attempted. If validation fails then the request must fail in a similar fashion as if the entire Security header is missing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-130) WSSecutityEngine does not validate
UsernameToken in Soap header
Posted by "Rick Duckworth (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12609641#action_12609641 ]
Rick Duckworth commented on WSS-130:
------------------------------------
As it turns out this issue seems to be satisfactorily fixed in WSS4J 1.5.4. Thanks for all your help gentlemen!
Cheers,
Rick
> WSSecutityEngine does not validate UsernameToken in Soap header
> ---------------------------------------------------------------
>
> Key: WSS-130
> URL: https://issues.apache.org/jira/browse/WSS-130
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.2
> Environment: Any
> Reporter: Rick Duckworth
> Assignee: Ruchith Udayanga Fernando
>
> WSS4J does not validate the UsernameToken in the SOAP header of a request. Consider the following SOAP message...
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsu:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-802441115">
> <wsse:Username>user</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
> </wsu:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> <getAlertTemplates xmlns="http://service.com"></getAlertTemplates>
> </soapenv:Body>
> </soapenv:Envelope>
> Notice the incorrect namespace on the UsernameToken. It should be wsse:UsernameToken rather than wsu:UsernameToken. WSS4J will gladly hand this request to the web service without processing the UsernameToken and thus delegating to the CallbackHandler and performing authentication. In addition if the UsernameToken is completely missing the same behavior is observed.
> The problem occurs in WSSecurityEngine.processSecurityHeader(). It gets a reference to the security header node and iterates through each of its children. If the child is an element then it attempts to retrieve a processor for it via WSSConfig.getProcessor(). The problem here is that if the UsernameToken does not follow the OASIS standard then a processor will not be returned and consequently the CallbackHandler that is configured to handle authentication is never called. Similarly it is not called if the UsernameToken is completely missing. It seems that there should be some mechanism to validate the UsernameToken before processing is attempted. If validation fails then the request must fail in a similar fashion as if the entire Security header is missing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-130) WSSecutityEngine does not validate
UsernameToken in Soap header
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12608833#action_12608833 ]
Colm O hEigeartaigh commented on WSS-130:
-----------------------------------------
Can you try this with a more up to date version of WSS4J (namely 1.5.4)?
If the bug still exists, can you create a test-case and attach it to the JIRA?
> WSSecutityEngine does not validate UsernameToken in Soap header
> ---------------------------------------------------------------
>
> Key: WSS-130
> URL: https://issues.apache.org/jira/browse/WSS-130
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.2
> Environment: Any
> Reporter: Rick Duckworth
> Assignee: Ruchith Udayanga Fernando
>
> WSS4J does not validate the UsernameToken in the SOAP header of a request. Consider the following SOAP message...
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsu:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-802441115">
> <wsse:Username>user</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
> </wsu:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> <getAlertTemplates xmlns="http://service.com"></getAlertTemplates>
> </soapenv:Body>
> </soapenv:Envelope>
> Notice the incorrect namespace on the UsernameToken. It should be wsse:UsernameToken rather than wsu:UsernameToken. WSS4J will gladly hand this request to the web service without processing the UsernameToken and thus delegating to the CallbackHandler and performing authentication. In addition if the UsernameToken is completely missing the same behavior is observed.
> The problem occurs in WSSecurityEngine.processSecurityHeader(). It gets a reference to the security header node and iterates through each of its children. If the child is an element then it attempts to retrieve a processor for it via WSSConfig.getProcessor(). The problem here is that if the UsernameToken does not follow the OASIS standard then a processor will not be returned and consequently the CallbackHandler that is configured to handle authentication is never called. Similarly it is not called if the UsernameToken is completely missing. It seems that there should be some mechanism to validate the UsernameToken before processing is attempted. If validation fails then the request must fail in a similar fashion as if the entire Security header is missing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-130) WSSecutityEngine does not validate
UsernameToken in Soap header
Posted by "Rick Duckworth (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12609360#action_12609360 ]
Rick Duckworth commented on WSS-130:
------------------------------------
Thanks for everyone's input. I am currently installing WSS4J 1.5.4 into my application to observe its behavior. I will give an update later.
In regards to George's comment I would tend to disagree. IMO since I have specified in the configuration file that I would like WSDoAllReceiver to use action UsernameToken I would expect the framework to at least ensure that the UsernameToken element is present in the SOAP Security header and that it is valid. I don't see any of this going on in WSS4J 1.5.2.
I will have to explore Fred's suggestion. However my first thought is how can WSS4J check the results if it isn't even doing the authentication when the UsernameToken is missing or invalid in the SOAP Security header?
Again, I am now installing WSS4J 1.5.4 and will test all of your suggestions before commenting further. Thanks for your input!
> WSSecutityEngine does not validate UsernameToken in Soap header
> ---------------------------------------------------------------
>
> Key: WSS-130
> URL: https://issues.apache.org/jira/browse/WSS-130
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.2
> Environment: Any
> Reporter: Rick Duckworth
> Assignee: Ruchith Udayanga Fernando
>
> WSS4J does not validate the UsernameToken in the SOAP header of a request. Consider the following SOAP message...
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsu:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-802441115">
> <wsse:Username>user</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
> </wsu:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> <getAlertTemplates xmlns="http://service.com"></getAlertTemplates>
> </soapenv:Body>
> </soapenv:Envelope>
> Notice the incorrect namespace on the UsernameToken. It should be wsse:UsernameToken rather than wsu:UsernameToken. WSS4J will gladly hand this request to the web service without processing the UsernameToken and thus delegating to the CallbackHandler and performing authentication. In addition if the UsernameToken is completely missing the same behavior is observed.
> The problem occurs in WSSecurityEngine.processSecurityHeader(). It gets a reference to the security header node and iterates through each of its children. If the child is an element then it attempts to retrieve a processor for it via WSSConfig.getProcessor(). The problem here is that if the UsernameToken does not follow the OASIS standard then a processor will not be returned and consequently the CallbackHandler that is configured to handle authentication is never called. Similarly it is not called if the UsernameToken is completely missing. It seems that there should be some mechanism to validate the UsernameToken before processing is attempted. If validation fails then the request must fail in a similar fashion as if the entire Security header is missing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-130) WSSecutityEngine does not validate
UsernameToken in Soap header
Posted by "Rick Duckworth (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12609558#action_12609558 ]
Rick Duckworth commented on WSS-130:
------------------------------------
Werner,
Absolutely, I am in the process of debugging this behavior. I am afraid, however, that my comment from yesterday was a bit premature as it turned out I had a classpath issue that was loading the previous WSS4J version (1.5.2). I have yet to completely verify that the issue still exists in 1.5.4 although preliminary indication is that is still exists. I should have my testing finished in a couple hours and will report an update. If the problem still exists then I will outline my debugging discoveries. Thanks for your help on this issue. Please stay tuned...
Cheers,
Rick
> WSSecutityEngine does not validate UsernameToken in Soap header
> ---------------------------------------------------------------
>
> Key: WSS-130
> URL: https://issues.apache.org/jira/browse/WSS-130
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.2
> Environment: Any
> Reporter: Rick Duckworth
> Assignee: Ruchith Udayanga Fernando
>
> WSS4J does not validate the UsernameToken in the SOAP header of a request. Consider the following SOAP message...
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsu:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-802441115">
> <wsse:Username>user</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
> </wsu:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> <getAlertTemplates xmlns="http://service.com"></getAlertTemplates>
> </soapenv:Body>
> </soapenv:Envelope>
> Notice the incorrect namespace on the UsernameToken. It should be wsse:UsernameToken rather than wsu:UsernameToken. WSS4J will gladly hand this request to the web service without processing the UsernameToken and thus delegating to the CallbackHandler and performing authentication. In addition if the UsernameToken is completely missing the same behavior is observed.
> The problem occurs in WSSecurityEngine.processSecurityHeader(). It gets a reference to the security header node and iterates through each of its children. If the child is an element then it attempts to retrieve a processor for it via WSSConfig.getProcessor(). The problem here is that if the UsernameToken does not follow the OASIS standard then a processor will not be returned and consequently the CallbackHandler that is configured to handle authentication is never called. Similarly it is not called if the UsernameToken is completely missing. It seems that there should be some mechanism to validate the UsernameToken before processing is attempted. If validation fails then the request must fail in a similar fashion as if the entire Security header is missing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-130) WSSecutityEngine does not validate
UsernameToken in Soap header
Posted by "Rick Duckworth (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12608795#action_12608795 ]
Rick Duckworth commented on WSS-130:
------------------------------------
I forgot to mention that my server-config.wsdd does specify that I am using the UsernameToken action. Here is a snippet...
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="passwordCallbackClass" value="com.service.security.AuthcCallbackHandler"/>
<parameter name="action" value="UsernameToken"/>
</handler>
</requestFlow>
> WSSecutityEngine does not validate UsernameToken in Soap header
> ---------------------------------------------------------------
>
> Key: WSS-130
> URL: https://issues.apache.org/jira/browse/WSS-130
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.2
> Environment: Any
> Reporter: Rick Duckworth
> Assignee: Ruchith Udayanga Fernando
>
> WSS4J does not validate the UsernameToken in the SOAP header of a request. Consider the following SOAP message...
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsu:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-802441115">
> <wsse:Username>user</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
> </wsu:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> <getAlertTemplates xmlns="http://service.com"></getAlertTemplates>
> </soapenv:Body>
> </soapenv:Envelope>
> Notice the incorrect namespace on the UsernameToken. It should be wsse:UsernameToken rather than wsu:UsernameToken. WSS4J will gladly hand this request to the web service without processing the UsernameToken and thus delegating to the CallbackHandler and performing authentication. In addition if the UsernameToken is completely missing the same behavior is observed.
> The problem occurs in WSSecurityEngine.processSecurityHeader(). It gets a reference to the security header node and iterates through each of its children. If the child is an element then it attempts to retrieve a processor for it via WSSConfig.getProcessor(). The problem here is that if the UsernameToken does not follow the OASIS standard then a processor will not be returned and consequently the CallbackHandler that is configured to handle authentication is never called. Similarly it is not called if the UsernameToken is completely missing. It seems that there should be some mechanism to validate the UsernameToken before processing is attempted. If validation fails then the request must fail in a similar fashion as if the entire Security header is missing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-130) WSSecutityEngine does not validate
UsernameToken in Soap header
Posted by "Werner Dittmann (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12609479#action_12609479 ]
Werner Dittmann commented on WSS-130:
-------------------------------------
Just to make it more precise:
- the WSSecurityEngine checks the fully qualified names and performs actions only if the fully
qualified name matches with names defined in the OASIS WSS specifications. Thus WSSecurityEngine
never calls a password callback if it cannot find a match.
- The wss4J handler are the part that control the message flow, call the WSS4J security library and check if
results match the expected results. Thus the problem described by Rick is most probably in the WS handler
parts (checkReceiverResults(...) for example.
Rick, can you try to put in some debug statements in WSDoAllReceiver(...) and WSHandler(....) at or around
the places where checkReceiverResults(...) is called or implemented? That would help us to fix the problem.
Thanks,
Werner
> WSSecutityEngine does not validate UsernameToken in Soap header
> ---------------------------------------------------------------
>
> Key: WSS-130
> URL: https://issues.apache.org/jira/browse/WSS-130
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.2
> Environment: Any
> Reporter: Rick Duckworth
> Assignee: Ruchith Udayanga Fernando
>
> WSS4J does not validate the UsernameToken in the SOAP header of a request. Consider the following SOAP message...
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsu:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-802441115">
> <wsse:Username>user</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
> </wsu:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> <getAlertTemplates xmlns="http://service.com"></getAlertTemplates>
> </soapenv:Body>
> </soapenv:Envelope>
> Notice the incorrect namespace on the UsernameToken. It should be wsse:UsernameToken rather than wsu:UsernameToken. WSS4J will gladly hand this request to the web service without processing the UsernameToken and thus delegating to the CallbackHandler and performing authentication. In addition if the UsernameToken is completely missing the same behavior is observed.
> The problem occurs in WSSecurityEngine.processSecurityHeader(). It gets a reference to the security header node and iterates through each of its children. If the child is an element then it attempts to retrieve a processor for it via WSSConfig.getProcessor(). The problem here is that if the UsernameToken does not follow the OASIS standard then a processor will not be returned and consequently the CallbackHandler that is configured to handle authentication is never called. Similarly it is not called if the UsernameToken is completely missing. It seems that there should be some mechanism to validate the UsernameToken before processing is attempted. If validation fails then the request must fail in a similar fashion as if the entire Security header is missing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-130) WSSecutityEngine does not validate
UsernameToken in Soap header
Posted by "Rick Duckworth (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12609366#action_12609366 ]
Rick Duckworth commented on WSS-130:
------------------------------------
OK... I just installed WSS4J 1.5.4 and tested it with no success. The exact same behavior is observed. To reiterate, WSS4J does not validate the UsernameToken in the SOAP Security header. I have configured WSDoAllReceiver with action=UsernameToken. However if a SOAP request is received that contains the security header but a missing or invalid UsernameToken then WSS4J will gladly forwardd the request to the web service without authenticating with my my CallbackHandler.
> WSSecutityEngine does not validate UsernameToken in Soap header
> ---------------------------------------------------------------
>
> Key: WSS-130
> URL: https://issues.apache.org/jira/browse/WSS-130
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.2
> Environment: Any
> Reporter: Rick Duckworth
> Assignee: Ruchith Udayanga Fernando
>
> WSS4J does not validate the UsernameToken in the SOAP header of a request. Consider the following SOAP message...
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsu:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-802441115">
> <wsse:Username>user</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
> </wsu:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> <getAlertTemplates xmlns="http://service.com"></getAlertTemplates>
> </soapenv:Body>
> </soapenv:Envelope>
> Notice the incorrect namespace on the UsernameToken. It should be wsse:UsernameToken rather than wsu:UsernameToken. WSS4J will gladly hand this request to the web service without processing the UsernameToken and thus delegating to the CallbackHandler and performing authentication. In addition if the UsernameToken is completely missing the same behavior is observed.
> The problem occurs in WSSecurityEngine.processSecurityHeader(). It gets a reference to the security header node and iterates through each of its children. If the child is an element then it attempts to retrieve a processor for it via WSSConfig.getProcessor(). The problem here is that if the UsernameToken does not follow the OASIS standard then a processor will not be returned and consequently the CallbackHandler that is configured to handle authentication is never called. Similarly it is not called if the UsernameToken is completely missing. It seems that there should be some mechanism to validate the UsernameToken before processing is attempted. If validation fails then the request must fail in a similar fashion as if the entire Security header is missing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-130) WSSecutityEngine does not validate
UsernameToken in Soap header
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12609068#action_12609068 ]
Fred Dushin commented on WSS-130:
---------------------------------
Note that the logic for checking results is not in the WSSecurityEngine processSecurityHeaders operation, but rather in the WSHandler checkReceiverResults operation.
The WSSecurityEngine is not designed to raise exceptions on missing cryptographic actions.
Note also that a fix was made in the results checking logic for 1.5.4, so you should check against the latest verstion of WSS4J, as Colm suggests.
> WSSecutityEngine does not validate UsernameToken in Soap header
> ---------------------------------------------------------------
>
> Key: WSS-130
> URL: https://issues.apache.org/jira/browse/WSS-130
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.2
> Environment: Any
> Reporter: Rick Duckworth
> Assignee: Ruchith Udayanga Fernando
>
> WSS4J does not validate the UsernameToken in the SOAP header of a request. Consider the following SOAP message...
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsu:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-802441115">
> <wsse:Username>user</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
> </wsu:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> <getAlertTemplates xmlns="http://service.com"></getAlertTemplates>
> </soapenv:Body>
> </soapenv:Envelope>
> Notice the incorrect namespace on the UsernameToken. It should be wsse:UsernameToken rather than wsu:UsernameToken. WSS4J will gladly hand this request to the web service without processing the UsernameToken and thus delegating to the CallbackHandler and performing authentication. In addition if the UsernameToken is completely missing the same behavior is observed.
> The problem occurs in WSSecurityEngine.processSecurityHeader(). It gets a reference to the security header node and iterates through each of its children. If the child is an element then it attempts to retrieve a processor for it via WSSConfig.getProcessor(). The problem here is that if the UsernameToken does not follow the OASIS standard then a processor will not be returned and consequently the CallbackHandler that is configured to handle authentication is never called. Similarly it is not called if the UsernameToken is completely missing. It seems that there should be some mechanism to validate the UsernameToken before processing is attempted. If validation fails then the request must fail in a similar fashion as if the entire Security header is missing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Closed: (WSS-130) WSSecutityEngine does not validate
UsernameToken in Soap header
Posted by "Rick Duckworth (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rick Duckworth closed WSS-130.
------------------------------
Closing this issue as it is resolved in WSS4J 1.5.4
> WSSecutityEngine does not validate UsernameToken in Soap header
> ---------------------------------------------------------------
>
> Key: WSS-130
> URL: https://issues.apache.org/jira/browse/WSS-130
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.2
> Environment: Any
> Reporter: Rick Duckworth
> Assignee: Ruchith Udayanga Fernando
> Fix For: 1.5.4
>
>
> WSS4J does not validate the UsernameToken in the SOAP header of a request. Consider the following SOAP message...
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsu:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-802441115">
> <wsse:Username>user</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
> </wsu:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> <getAlertTemplates xmlns="http://service.com"></getAlertTemplates>
> </soapenv:Body>
> </soapenv:Envelope>
> Notice the incorrect namespace on the UsernameToken. It should be wsse:UsernameToken rather than wsu:UsernameToken. WSS4J will gladly hand this request to the web service without processing the UsernameToken and thus delegating to the CallbackHandler and performing authentication. In addition if the UsernameToken is completely missing the same behavior is observed.
> The problem occurs in WSSecurityEngine.processSecurityHeader(). It gets a reference to the security header node and iterates through each of its children. If the child is an element then it attempts to retrieve a processor for it via WSSConfig.getProcessor(). The problem here is that if the UsernameToken does not follow the OASIS standard then a processor will not be returned and consequently the CallbackHandler that is configured to handle authentication is never called. Similarly it is not called if the UsernameToken is completely missing. It seems that there should be some mechanism to validate the UsernameToken before processing is attempted. If validation fails then the request must fail in a similar fashion as if the entire Security header is missing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Resolved: (WSS-130) WSSecutityEngine does not validate
UsernameToken in Soap header
Posted by "Rick Duckworth (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rick Duckworth resolved WSS-130.
--------------------------------
Resolution: Fixed
Fix Version/s: 1.5.4
This issue has been resolved in WSS4J 1.5.4
> WSSecutityEngine does not validate UsernameToken in Soap header
> ---------------------------------------------------------------
>
> Key: WSS-130
> URL: https://issues.apache.org/jira/browse/WSS-130
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.2
> Environment: Any
> Reporter: Rick Duckworth
> Assignee: Ruchith Udayanga Fernando
> Fix For: 1.5.4
>
>
> WSS4J does not validate the UsernameToken in the SOAP header of a request. Consider the following SOAP message...
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
> <wsu:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-802441115">
> <wsse:Username>user</wsse:Username>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
> </wsu:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> <getAlertTemplates xmlns="http://service.com"></getAlertTemplates>
> </soapenv:Body>
> </soapenv:Envelope>
> Notice the incorrect namespace on the UsernameToken. It should be wsse:UsernameToken rather than wsu:UsernameToken. WSS4J will gladly hand this request to the web service without processing the UsernameToken and thus delegating to the CallbackHandler and performing authentication. In addition if the UsernameToken is completely missing the same behavior is observed.
> The problem occurs in WSSecurityEngine.processSecurityHeader(). It gets a reference to the security header node and iterates through each of its children. If the child is an element then it attempts to retrieve a processor for it via WSSConfig.getProcessor(). The problem here is that if the UsernameToken does not follow the OASIS standard then a processor will not be returned and consequently the CallbackHandler that is configured to handle authentication is never called. Similarly it is not called if the UsernameToken is completely missing. It seems that there should be some mechanism to validate the UsernameToken before processing is attempted. If validation fails then the request must fail in a similar fashion as if the entire Security header is missing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org