[
https://issues.apache.org/jira/browse/WSS-66?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12505234
]
Dmitry commented on WSS-66:
---------------------------
This issue seems to make the whole UsernameToken thing useless in case of
PasswordDigest.
I used the following XML to test it
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/";>
<env:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<wsse:UsernameToken>
<wsse:Username>Bert</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>B5twk47KwSrjeg==</wsse:Password>
<wsse:Nonce/>
<wsu:Created>2003-07-16T01:24:32Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
Given that SOAP header, wss4j doesn't verify the password and sets up a valid
principal. Thanks to line # 117 of
org.apache.ws.security.processor.UsernameTokenProcessor:
if (nonce != null && createdTime != null) {
> Possible security hole when PasswordDigest is used by client.
> -------------------------------------------------------------
>
> Key: WSS-66
> URL: https://issues.apache.org/jira/browse/WSS-66
> Project: WSS4J
> Issue Type: Bug
> Environment: Any
> Reporter: Ever A. Olano
> Assignee: Davanum Srinivas
>
> Hello. I am trying to implement UsernameToken verification on the server
> side and discovered what could be a security hole in the way the code
> determines whether to verify the PasswordDigest.
> According to the Username Token Profile 1.0 spec, the nonce and timestamp are
> OPTIONAL. However, in UsernameTokenProcessor.java, you verify the password
> digest only if both nonce and timestamp are non-null:
> if (nonce != null && createdTime != null) {
> String passDigest = UsernameToken.doPasswordDigest(nonce,
> createdTime, origPassword);
> if (!passDigest.equals(password)) {
> throw new
> WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
> }
> }
> So, if a client sends in PasswordDigest without a nonce or a timestamp, you
> will set the usage to USERNAME_TOKEN, so the password callback handler will
> simply set the password (since it's not expected to validate it itself).
> Then, coming back to UsernameTokenProcessor, the code sees that one of nonce
> and createdTime is null so it doesn't do the validation.
> In other words, unless I missed something in the code, a client can send in
> any bogus password, use PasswordDigest, NOT send in a nonce or a timestamp,
> and it will validate just fine.
> I'm sorry I can't test that scenario at this time as I haven't found a way to
> turn off either the nonce or timestamp from .NET WSE 2.0, the toolkit I'm
> testing with at this point.
> Thanks,
> Ever
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
