dxbjavid opened a new pull request, #3182: URL: https://github.com/apache/cxf/pull/3182
reading through STSStaxTokenValidator i noticed the local UsernameToken path checks the client-supplied password and password digest with String.equals, which bails out at the first mismatching character. that timing difference looks like enough to recover the expected digest (for a chosen nonce/created) or the plaintext password byte by byte and then authenticate. routed both comparisons through MessageDigest.isEqual over utf-8 bytes, which is the constant-time idiom already used elsewhere in cxf (OAuthUtils.compareTokens, HmacJwsSignatureVerifier). also made it null-safe so a missing password value just fails authentication instead of throwing. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
