Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 168e1884d -> 2bab1a639
[CXF-6222] - Password can end up in log file Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2bab1a63 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2bab1a63 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2bab1a63 Branch: refs/heads/3.0.x-fixes Commit: 2bab1a639859be0a5b9c3a6b5a590f277404762b Parents: 168e188 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Tue Jan 27 14:56:42 2015 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Tue Jan 27 14:59:00 2015 +0000 ---------------------------------------------------------------------- .../trust/AuthPolicyValidatingInterceptor.java | 4 +-- .../cxf/ws/security/trust/Messages.properties | 2 +- .../AuthPolicyValidatingInterceptorTest.java | 36 ++++++++++++++++++++ 3 files changed, 38 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/2bab1a63/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java index 4bdccc1..5ea8ec8 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java @@ -67,15 +67,13 @@ public class AuthPolicyValidatingInterceptor extends AbstractPhaseInterceptor<Me AuthorizationPolicy policy = message.get(AuthorizationPolicy.class); if (policy == null || policy.getUserName() == null || policy.getPassword() == null) { String name = null; - String password = null; if (policy != null) { name = policy.getUserName(); - password = policy.getPassword(); } org.apache.cxf.common.i18n.Message errorMsg = new org.apache.cxf.common.i18n.Message("NO_USER_PASSWORD", BUNDLE, - name, password); + name); LOG.warning(errorMsg.toString()); throw new SecurityException(errorMsg.toString()); } http://git-wip-us.apache.org/repos/asf/cxf/blob/2bab1a63/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/Messages.properties ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/Messages.properties b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/Messages.properties index 570dacd..3bf9456 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/Messages.properties +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/Messages.properties @@ -24,7 +24,7 @@ NO_ENTROPY=Could not find Entropy in RequestSecurityTokenResponse DERIVED_KEY_ERROR=Exception while trying to create secret key from RequestSecurityTokenResponse ENCRYPTED_KEY_ERROR=Exception while trying to decrypt key from RequestSecurityTokenResponse VALIDATION_FAILED=Validation of security token failed: {0} -NO_USER_PASSWORD=No user name and/or password is available, name: {0}, password: {1} +NO_USER_PASSWORD=No user name and/or password is available, name: {0} ADDRESS_NOT_MATCHED=Cannot match the address {0} to the WSDL received via WS-MEX WS_MEX_ERROR=Exception when trying to retrieve/process a WSDL via WS-MEX NO_LOCATION=The STSClient is not configured with either a location or wsdlLocation property http://git-wip-us.apache.org/repos/asf/cxf/blob/2bab1a63/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java index 50d4d71..1fd4a16 100644 --- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java +++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java @@ -47,6 +47,42 @@ public class AuthPolicyValidatingInterceptorTest extends Assert { assertTrue(validator.isValidated()); } + @Test + public void testInvalidUsernamePassword() throws Exception { + AuthPolicyValidatingInterceptor in = new AuthPolicyValidatingInterceptor(); + TestSTSTokenValidator validator = new TestSTSTokenValidator(); + in.setValidator(validator); + + AuthorizationPolicy policy = new AuthorizationPolicy(); + policy.setUserName("bob"); + policy.setPassword("pswd2"); + Message message = new MessageImpl(); + message.put(AuthorizationPolicy.class, policy); + + in.handleMessage(message); + + assertFalse(validator.isValidated()); + } + + @Test + public void testNoUsername() throws Exception { + AuthPolicyValidatingInterceptor in = new AuthPolicyValidatingInterceptor(); + TestSTSTokenValidator validator = new TestSTSTokenValidator(); + in.setValidator(validator); + + AuthorizationPolicy policy = new AuthorizationPolicy(); + policy.setPassword("pswd"); + Message message = new MessageImpl(); + message.put(AuthorizationPolicy.class, policy); + + try { + in.handleMessage(message); + fail("Failure expected with no username"); + } catch (SecurityException ex) { + // expected + } + } + private static class TestSTSTokenValidator extends STSTokenValidator { private boolean validated;