[jira] [Commented] (CXF-3484) Password set to null in UsernameTokenValidator
[ https://issues.apache.org/jira/browse/CXF-3484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16358270#comment-16358270 ] Maciej Miklas commented on CXF-3484: Thank you - custom validator works great :) > Password set to null in UsernameTokenValidator > -- > > Key: CXF-3484 > URL: https://issues.apache.org/jira/browse/CXF-3484 > Project: CXF > Issue Type: Bug > Components: WS-* Components >Affects Versions: 2.4 > Environment: Linux, jetty 6.10 >Reporter: Nicolas Poirot >Priority: Minor > Labels: UserNameToken, security > Fix For: Invalid > > > When trying to do basic authentication in Soap header with UserNameToken, > token is well read from XML, but badly passed to password callback. > Line 165 of org.apache.ws.security.validate.UsernameTokenValidator : > WSPasswordCallback pwCb = > new WSPasswordCallback(user, null, pwType, > WSPasswordCallback.USERNAME_TOKEN, data); > The password is set to null, while it has been correcty read just before. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CXF-3484) Password set to null in UsernameTokenValidator
[ https://issues.apache.org/jira/browse/CXF-3484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16358236#comment-16358236 ] Colm O hEigeartaigh commented on CXF-3484: -- Yes you need to store the clean text password somewhere on the receiving side to compare against the received password. Alternatively, you can plug in a custom Validator to do some custom validation. There is a JAASUsernameTokenValidator available in WSS4J that validates the password using a JAAS LoginModule for example. > Password set to null in UsernameTokenValidator > -- > > Key: CXF-3484 > URL: https://issues.apache.org/jira/browse/CXF-3484 > Project: CXF > Issue Type: Bug > Components: WS-* Components >Affects Versions: 2.4 > Environment: Linux, jetty 6.10 >Reporter: Nicolas Poirot >Priority: Minor > Labels: UserNameToken, security > Fix For: Invalid > > > When trying to do basic authentication in Soap header with UserNameToken, > token is well read from XML, but badly passed to password callback. > Line 165 of org.apache.ws.security.validate.UsernameTokenValidator : > WSPasswordCallback pwCb = > new WSPasswordCallback(user, null, pwType, > WSPasswordCallback.USERNAME_TOKEN, data); > The password is set to null, while it has been correcty read just before. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CXF-3484) Password set to null in UsernameTokenValidator
[ https://issues.apache.org/jira/browse/CXF-3484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16358218#comment-16358218 ] Maciej Miklas commented on CXF-3484: Do I understand it right? Am I suppose to store clean text password somewhere??? > Password set to null in UsernameTokenValidator > -- > > Key: CXF-3484 > URL: https://issues.apache.org/jira/browse/CXF-3484 > Project: CXF > Issue Type: Bug > Components: WS-* Components >Affects Versions: 2.4 > Environment: Linux, jetty 6.10 >Reporter: Nicolas Poirot >Priority: Minor > Labels: UserNameToken, security > Fix For: Invalid > > > When trying to do basic authentication in Soap header with UserNameToken, > token is well read from XML, but badly passed to password callback. > Line 165 of org.apache.ws.security.validate.UsernameTokenValidator : > WSPasswordCallback pwCb = > new WSPasswordCallback(user, null, pwType, > WSPasswordCallback.USERNAME_TOKEN, data); > The password is set to null, while it has been correcty read just before. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CXF-3484) Password set to null in UsernameTokenValidator
[ https://issues.apache.org/jira/browse/CXF-3484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13028131#comment-13028131 ] Nicolas Poirot commented on CXF-3484: - My mistake, it is a problem into wss4j-src-1.6.0 Password set to null in UsernameTokenValidator -- Key: CXF-3484 URL: https://issues.apache.org/jira/browse/CXF-3484 Project: CXF Issue Type: Bug Components: WS-* Components Affects Versions: 2.4 Environment: Linux, jetty 6.10 Reporter: Nicolas Poirot Priority: Minor Labels: UserNameToken, security When trying to do basic authentication in Soap header with UserNameToken, token is well read from XML, but badly passed to password callback. Line 165 of org.apache.ws.security.validate.UsernameTokenValidator : WSPasswordCallback pwCb = new WSPasswordCallback(user, null, pwType, WSPasswordCallback.USERNAME_TOKEN, data); The password is set to null, while it has been correcty read just before. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-3484) Password set to null in UsernameTokenValidator
[ https://issues.apache.org/jira/browse/CXF-3484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13028134#comment-13028134 ] Colm O hEigeartaigh commented on CXF-3484: -- This is not a bug. The job of the password callback is to supply a password to the validator for the given user, so why would it need to know the password that has been received? Colm. Password set to null in UsernameTokenValidator -- Key: CXF-3484 URL: https://issues.apache.org/jira/browse/CXF-3484 Project: CXF Issue Type: Bug Components: WS-* Components Affects Versions: 2.4 Environment: Linux, jetty 6.10 Reporter: Nicolas Poirot Priority: Minor Labels: UserNameToken, security When trying to do basic authentication in Soap header with UserNameToken, token is well read from XML, but badly passed to password callback. Line 165 of org.apache.ws.security.validate.UsernameTokenValidator : WSPasswordCallback pwCb = new WSPasswordCallback(user, null, pwType, WSPasswordCallback.USERNAME_TOKEN, data); The password is set to null, while it has been correcty read just before. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-3484) Password set to null in UsernameTokenValidator
[
https://issues.apache.org/jira/browse/CXF-3484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13028178#comment-13028178
]
Nicolas Poirot commented on CXF-3484:
-
Maybe there is something I didn' understand...
I setup my web application according to
http://cxf.apache.org/docs/ws-security.html (Spring XML Configuration), and it
was working with cxf 2.2.3 : password was provided to my class implementing
CallbackHandler and registered via the passwordCallbackRef key in the bean.xml
config file.
Now with cxf 2.4.0 (and wss4j 1.6.0), the configuration is the same, but in my
class the password is not provided anymore...
What are the changes between the 2 versions ? Is there something I missed ?
My class :
public final class PasswordHandler implements CallbackHandler {
...
@Override
public void handle(final Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (Callback callback : callbacks) {
final WSPasswordCallback wpcallback = (WSPasswordCallback) callback;
if (null == wpcallback.getIdentifier()) {
throw new SecurityException(No user provided);
}
if (null == wpcallback.getPassword()) {
throw new SecurityException(No password provided);
}
...
}
...
}
}
Password set to null in UsernameTokenValidator
--
Key: CXF-3484
URL: https://issues.apache.org/jira/browse/CXF-3484
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.4
Environment: Linux, jetty 6.10
Reporter: Nicolas Poirot
Priority: Minor
Labels: UserNameToken, security
Fix For: Invalid
When trying to do basic authentication in Soap header with UserNameToken,
token is well read from XML, but badly passed to password callback.
Line 165 of org.apache.ws.security.validate.UsernameTokenValidator :
WSPasswordCallback pwCb =
new WSPasswordCallback(user, null, pwType,
WSPasswordCallback.USERNAME_TOKEN, data);
The password is set to null, while it has been correcty read just before.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-3484) Password set to null in UsernameTokenValidator
[ https://issues.apache.org/jira/browse/CXF-3484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13028224#comment-13028224 ] Colm O hEigeartaigh commented on CXF-3484: -- The way passwords are validated has changed between WSS4J 1.5.x and 1.6. See this blog post for more details: http://coheigea.blogspot.com/2011/02/usernametoken-processing-changes-in.html In a nutshell, the CallbackHandler implementation only supplies the password any more, and does not do any validation, as was the case in 1.5.x. A new Validator interface takes care of the validation of the password supplied by the CallbackHandler, so you can override this if you want to do some custom validation. See: http://coheigea.blogspot.com/2011/04/wss4j-16-introducing-validators.html Colm. Password set to null in UsernameTokenValidator -- Key: CXF-3484 URL: https://issues.apache.org/jira/browse/CXF-3484 Project: CXF Issue Type: Bug Components: WS-* Components Affects Versions: 2.4 Environment: Linux, jetty 6.10 Reporter: Nicolas Poirot Priority: Minor Labels: UserNameToken, security Fix For: Invalid When trying to do basic authentication in Soap header with UserNameToken, token is well read from XML, but badly passed to password callback. Line 165 of org.apache.ws.security.validate.UsernameTokenValidator : WSPasswordCallback pwCb = new WSPasswordCallback(user, null, pwType, WSPasswordCallback.USERNAME_TOKEN, data); The password is set to null, while it has been correcty read just before. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
