handleUsernameToken gives too much information. Can be used to deternine if a
username exists or not
----------------------------------------------------------------------------------------------------
Key: WSS-141
URL: https://issues.apache.org/jira/browse/WSS-141
Project: WSS4J
Issue Type: Bug
Reporter: Martijn Brinkers
Assignee: Ruchith Udayanga Fernando
I am using WSS4J with CXF to authenticate a soap connection.
If digest password mode is used and the user name is known the password is set
and WSS handles the calculation of the digest. Example:
if (pc.getIdentifer().equals(username))
{
/*
* set the password on the callback. This will be compared
to the
* password which was sent from the client.
*/
pc.setPassword(password);
}
Now what should be done when the user name does not match any known user? If
you do not set the passsword an exception will be thrown (see below) containing
something like : "Callback supplied no password for: adminX".
The behavior of the authentication handler is different for a known user than
for an unknown user. This makes it easy for an attacker to determine valid user
names.
I saw a related message from 2005 (see http://www.mail-archive.com/[EMAIL
PROTECTED]/msg00044.html) but it appears it has not been fixed.
Stack trace:
INFO: Interceptor has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: General security error
(WSSecurityEngine: Callback supplied no password for: adminm)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:398)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:247)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:65)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:78)
at
org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:278)
at
org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:252)
at
org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:70)
at
org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
at
org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
at
org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:324)
at
org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
at
org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:842)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:648)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
at
org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
at
org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450)
Caused by: org.apache.ws.security.WSSecurityException: General security error
(WSSecurityEngine: Callback supplied no password for: adminm)
at
org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:124)
at
org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:53)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:153)
... 17 more
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
