UsernameTokenProcessor not processing unhashed UsernameToken
------------------------------------------------------------
Key: WSS-54
URL: http://issues.apache.org/jira/browse/WSS-54
Project: WSS4J
Issue Type: Bug
Reporter: Bob Coss
Assigned To: Davanum Srinivas
The UsernameTokenProcessor will not authenticate anything but a UsernameToken
that was hashed with a nonce and timestamp. Anything else that is passed to it
will create a valid principal regardless of what the implementations password
callback handler does. This is creating confusion and preventing WSS4J from
being used for anything where the the UsernameToken is passed plainly. It is
understood that doing this in a production environment is discouraged, but it
is usefull to have this implementation work as expected so that the framework
can be experimented with and evaluated.
Specifically, in UsernameTokenProcessor.java, for a UsernameToken that is not
of hashed, nothing is done with the WSPasswordCallback object after the call to
the password handler handle method is invoked. Since nothing is done with it,
the code drops through and sets up a valid principal with the userid and
returns. There is no way to signal a
WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
