[
https://issues.apache.org/jira/browse/WSS-54?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12590098#action_12590098
]
Fred Dushin commented on WSS-54:
--------------------------------
Applied Colm's patch, which has been reviewed on the list.
> UsernameTokenProcessor not processing unhashed UsernameToken
> ------------------------------------------------------------
>
> Key: WSS-54
> URL: https://issues.apache.org/jira/browse/WSS-54
> Project: WSS4J
> Issue Type: Bug
> Reporter: Bob Coss
> Attachments: wss4j_wss54_revised.patch
>
>
> The UsernameTokenProcessor will not authenticate anything but a UsernameToken
> that was hashed with a nonce and timestamp. Anything else that is passed to
> it will create a valid principal regardless of what the implementations
> password callback handler does. This is creating confusion and preventing
> WSS4J from being used for anything where the the UsernameToken is passed
> plainly. It is understood that doing this in a production environment is
> discouraged, but it is usefull to have this implementation work as expected
> so that the framework can be experimented with and evaluated.
> Specifically, in UsernameTokenProcessor.java, for a UsernameToken that is not
> of hashed, nothing is done with the WSPasswordCallback object after the call
> to the password handler handle method is invoked. Since nothing is done with
> it, the code drops through and sets up a valid principal with the userid and
> returns. There is no way to signal a
> WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
