[jira] Updated: (WSS-141) handleUsernameToken gives too much information. Can be used to deternine if a username exists or not

Colm O hEigeartaigh (JIRA) Fri, 19 Sep 2008 03:13:49 -0700

     [ 
https://issues.apache.org/jira/browse/WSS-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Colm O hEigeartaigh updated WSS-141:
------------------------------------

        Fix Version/s: 1.5.5
    Affects Version/s: 1.5.4

> handleUsernameToken gives too much information. Can be used to deternine if a 
> username exists or not
> ----------------------------------------------------------------------------------------------------
>
>                 Key: WSS-141
>                 URL: https://issues.apache.org/jira/browse/WSS-141
>             Project: WSS4J
>          Issue Type: Bug
>    Affects Versions: 1.5.4
>            Reporter: Martijn Brinkers
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.5.5
>
>
> I am using WSS4J with CXF to authenticate a soap connection. 
> If digest password mode is used and the user name is known the password is 
> set and WSS handles the calculation of the digest. Example:
>               if (pc.getIdentifer().equals(username))
>               {
>                   /* 
>                    * set the password on the callback. This will be compared 
> to the
>                    * password which was sent from the client.
>                    */
>                   pc.setPassword(password);
>               }
> Now what should be done when the user name does not match any known user? If 
> you do not set the passsword an exception will be thrown (see below) 
> containing  something like : "Callback supplied no password for: adminX". 
> The behavior of the authentication handler is different for a known user than 
> for an unknown user. This makes it easy for an attacker to determine valid 
> user names.
> I saw a related message from 2005 (see http://www.mail-archive.com/[EMAIL 
> PROTECTED]/msg00044.html) but it appears it has not been fixed.
>   
> Stack trace:
> INFO: Interceptor has thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: General security error 
> (WSSecurityEngine: Callback supplied no password for: adminm)
>       at 
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:398)
>       at 
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:247)
>       at 
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:65)
>       at 
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220)
>       at 
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:78)
>       at 
> org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:278)
>       at 
> org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:252)
>       at 
> org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:70)
>       at 
> org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
>       at 
> org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
>       at 
> org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
>       at org.mortbay.jetty.Server.handle(Server.java:324)
>       at 
> org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
>       at 
> org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:842)
>       at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:648)
>       at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
>       at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
>       at 
> org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
>       at 
> org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450)
> Caused by: org.apache.ws.security.WSSecurityException: General security error 
> (WSSecurityEngine: Callback supplied no password for: adminm)
>       at 
> org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:124)
>       at 
> org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:53)
>       at 
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311)
>       at 
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228)
>       at 
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:153)
>       ... 17 more

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[jira] Updated: (WSS-141) handleUsernameToken gives too much information. Can be used to deternine if a username exists or not

Reply via email to