You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ws.apache.org by "Marek Cyzio (JIRA)" <ji...@apache.org> on 2010/11/16 21:46:14 UTC

[jira] Created: (WSS-252) org.apache.ws.security.processor.UsernameTokenProcessor is not thread safe/prone to hacker attacks

org.apache.ws.security.processor.UsernameTokenProcessor is not thread safe/prone to hacker attacks
--------------------------------------------------------------------------------------------------

                 Key: WSS-252
                 URL: https://issues.apache.org/jira/browse/WSS-252
             Project: WSS4J
          Issue Type: Bug
          Components: WSS4J Handlers
    Affects Versions: 1.5.9
         Environment: Any
            Reporter: Marek Cyzio
            Assignee: Colm O hEigeartaigh
            Priority: Critical


The UsernameTokenProcessorshould be thread safe, but it caches the UsernameToken (ut) and its ID (utId). This may allow a hacker to access the system with incorrect password if two threads happen to go through the code in parallel. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org

[jira] Commented: (WSS-252) org.apache.ws.security.processor.UsernameTokenProcessor is not thread safe/prone to hacker attacks

Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/WSS-252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12932899#action_12932899 ] 

Colm O hEigeartaigh commented on WSS-252:
-----------------------------------------


Hi Marek,

Could you be more specific about why you think the code is not thread safe? When would two threads be going through the UsernameTokenProcessor in parallel?

The processors need to store information about the token they have processed, as it may be needed by another processor. For example, the SignatureProcessor might need the UsernameToken processed by the UsernameTokenProcessor in order to derive a key to verify a Signature.

Note that the processors are loaded per request, it is not the case that a UsernameTokenProcessor instance processes multiple inbound requests. There is a JIRA to change this for the next major release (https://issues.apache.org/jira/browse/WSS-232), but this will require some thought to ensure that no state persists between requests.

Colm.

> org.apache.ws.security.processor.UsernameTokenProcessor is not thread safe/prone to hacker attacks
> --------------------------------------------------------------------------------------------------
>
>                 Key: WSS-252
>                 URL: https://issues.apache.org/jira/browse/WSS-252
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Handlers
>    Affects Versions: 1.5.9
>         Environment: Any
>            Reporter: Marek Cyzio
>            Assignee: Colm O hEigeartaigh
>            Priority: Critical
>
> The UsernameTokenProcessorshould be thread safe, but it caches the UsernameToken (ut) and its ID (utId). This may allow a hacker to access the system with incorrect password if two threads happen to go through the code in parallel. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org

[jira] [Closed] (WSS-252) org.apache.ws.security.processor.UsernameTokenProcessor is not thread safe/prone to hacker attacks

Posted by "Colm O hEigeartaigh (Closed) (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/WSS-252?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh closed WSS-252.
-----------------------------------

    
> org.apache.ws.security.processor.UsernameTokenProcessor is not thread safe/prone to hacker attacks
> --------------------------------------------------------------------------------------------------
>
>                 Key: WSS-252
>                 URL: https://issues.apache.org/jira/browse/WSS-252
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Handlers
>    Affects Versions: 1.5.9
>         Environment: Any
>            Reporter: Marek Cyzio
>            Assignee: Colm O hEigeartaigh
>            Priority: Critical
>
> The UsernameTokenProcessorshould be thread safe, but it caches the UsernameToken (ut) and its ID (utId). This may allow a hacker to access the system with incorrect password if two threads happen to go through the code in parallel. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org

[jira] Resolved: (WSS-252) org.apache.ws.security.processor.UsernameTokenProcessor is not thread safe/prone to hacker attacks

Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/WSS-252?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved WSS-252.
-------------------------------------

    Resolution: Won't Fix

> org.apache.ws.security.processor.UsernameTokenProcessor is not thread safe/prone to hacker attacks
> --------------------------------------------------------------------------------------------------
>
>                 Key: WSS-252
>                 URL: https://issues.apache.org/jira/browse/WSS-252
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Handlers
>    Affects Versions: 1.5.9
>         Environment: Any
>            Reporter: Marek Cyzio
>            Assignee: Colm O hEigeartaigh
>            Priority: Critical
>
> The UsernameTokenProcessorshould be thread safe, but it caches the UsernameToken (ut) and its ID (utId). This may allow a hacker to access the system with incorrect password if two threads happen to go through the code in parallel. 

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org