|
My patch is in fact not consistent with WSFX-34, but then what is the
recommended design for checking the usernames in the case of digested
passwords? I can see how PWCallback can be configured to return a
password given a WSPasswordCallback identifier (username), but I am not
sure where/how to handle invalid usernames. If I simply do not set the
password in PWCallback into bad usernames; example: if (callbacks[i] instanceof WSPasswordCallback) { WSPasswordCallback pc = (WSPasswordCallback) callbacks[i]; if ("wss4j".equals(pc.getIdentifer())) { pc.setPassword("security"); } } else { throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); } Then I get the service to reject unauthorized users, but the problem is that the error message on bad usernames would be different than the one on bad passwords, it would return org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: Callback supplied no password for: wronguser and I think that it should just return an "unauthorized" error message (or whatever same error message) no matter if the username or the password are wrong to prevent attackers from discovering valid usernames. I understand that I can also get WSSecurityEngineResult in my application and check the WSUsernameTokenPrincipal, but this way I would have the checks in two different places (in PWCallback and in the application) and still have the different error messages problem. Is there another better way to do what I am trying? Thanks, Rami Jaamour Software Engineer Web Services Solutions Parasoft Corporation "We Make Software Work" Dittmann Werner wrote: Rami, checked you proposed patch. However, I'm not sure if this patch would be in contradiction of the patch we did for the JIRA issue WSFX-34 (Usaername token handling). There was also some discussion here on the mailing list about the handling of plaintext passwords. The discussion took place at August, 30th to September 2nd, the subject of the thread was: "UsernameToken functionality in WSS4J". Can you pls check if you patch is in-line with the findings during that discussion? Thanks. Regards, Werner-----Ursprüngliche Nachricht----- Von: Rami Jaamour (JIRA) [mailto:[email protected]] Gesendet: Montag, 20. Dezember 2004 19:19 An: [email protected] Betreff: [jira] Updated: (WSFX-41) WSS4J accepts any username/password if in text mode [ http://nagoya.apache.org/jira/browse/WSFX-41?page=history ] Rami Jaamour updated WSFX-41: ----------------------------- Attachment: WSSecurityEngine.java diff.txt I attached a possible fix for your review before I commit it please, because this seems like a major issue that requires more than one person's attention. I am also having it return a failed authentication if PWCallBack returned a null password for the given username to increase security so WSS4J does not reveal the fact that a username does not exist. |
