[jira] Resolved: (WSFX-41) WSS4J accepts any username/password if in text mode

Werner Dittmann (JIRA) Sat, 21 May 2005 13:36:59 -0700

     [ http://issues.apache.org/jira/browse/WSFX-41?page=all ]
     
Werner Dittmann resolved WSFX-41:
---------------------------------


    Resolution: Fixed

Added an enhancement to the callback mechanism to cover
this problem. Pls refer to the WSCallBack javadoc, also
to the callback class used in the interop tests.

> WSS4J accepts any username/password if in text mode
> ---------------------------------------------------
>
>          Key: WSFX-41
>          URL: http://issues.apache.org/jira/browse/WSFX-41
>      Project: WSFX
>         Type: Bug
>   Components: WSS4J
>  Environment: Linux
>     Reporter: Rami Jaamour
>     Priority: Critical
>  Attachments: WSSecurityEngine.java, diff.txt
>
> It appears to me that WSS4J is now letting requests with the wrong 
> username/password pass through if the password was text (not digested)! Take 
> a look at WSSecurityEngine.handleUsernameToken():
> All the username and password stuff are wrapped in
> if (ut.isHashed()) {
> ...
> }
> but there is no case for when it is not hashed.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Resolved: (WSFX-41) WSS4J accepts any username/password if in text mode

Reply via email to