[jira] Issue Comment Edited: (CXF-1433) WS-Security vulnerability

Fri, 15 Feb 2008 11:36:29 -0800 

    [ 
https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569381#action_12569381
 ] 

fdushin edited comment on CXF-1433 at 2/15/08 11:35 AM:
------------------------------------------------------------

This patch adds a check to the WSS4JInInterceptor, to ensure that (at least) 
the number of performed actions corresponds to the number of required actions.  
This is a workaround for https://issues.apache.org/jira/browse/WSS-70

      was (Author: fdushin):
    This patch adds a check to the WSS4JInInterceptor, to ensure that (at 
least) the number of performed actions corresponds to the number of required 
actions.  This is a woraround for https://issues.apache.org/jira/browse/WSS-70
  
> WS-Security vulnerability
> -------------------------
>
>                 Key: CXF-1433
>                 URL: https://issues.apache.org/jira/browse/CXF-1433
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.0.3
>         Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and 
> Flex WS-client
>            Reporter: Loïc FRERING
>            Priority: Critical
>         Attachments: cxf-1433-fdushin-2008.02.15.patch
>
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with 
> Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" 
> address="/HelloWorld">
>               <jaxws:inInterceptors>
>                       <bean 
> class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
>                       <bean 
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>                               <constructor-arg>
>                                       <map>
>                                               <entry key="action" 
> value="UsernameToken"/>
>                                               <entry key="passwordType" 
> value="PasswordDigest"/>
>                                               <entry 
> key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
>                                       </map>
>                               </constructor-arg>
>                       </bean>
>                       <bean 
> class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
>                       <bean 
> class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
>               </jaxws:inInterceptors>
>       </jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server 
> do not process the authentication and return the response :
> <SOAP-ENV:Envelope>
>       <SOAP-ENV:Header>
>               <ns0:Security>
>                         <ns0:wsse>Security</ns0:wsse>
>                 </ns0:Security>
>         </SOAP-ENV:Header>
>       <SOAP-ENV:Body>
>               <ns0:sayHi>
>                         <name>Loïc</name>
>                 </ns0:sayHi>
>         </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to