[
https://issues.apache.org/jira/browse/WSS-98?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kenny Moens updated WSS-98:
---------------------------
Attachment: plaintext_security_leak.diff
The patch for this problem.
> Security Vurnability: Plaintext Usertoken Profile
> -------------------------------------------------
>
> Key: WSS-98
> URL: https://issues.apache.org/jira/browse/WSS-98
> Project: WSS4J
> Issue Type: Bug
> Environment: Apache Axis 1.4 + WSS4J 1.5.3
> Reporter: Kenny Moens
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: plaintext_security_leak.diff
>
>
> When the username and passwords are passed without digest, no password check
> is performed.
> This can easily reproduced with the following SOAP Request::
> <wsse:UsernameToken>
> <wsse:Username>foo</wsse:Username>
> <wsse:Password>bar</wsse:Password>
> </wsse:UsernameToken>
> When looking at the source code the password is in this case never checked.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
