[jira] Resolved: (WSS-183) Change the UsernameTokenProcessor to validate plaintext passwords

Wed, 06 May 2009 03:27:56 -0700 

     [ 
https://issues.apache.org/jira/browse/WSS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-183.
-------------------------------------

    Resolution: Fixed

> Change the UsernameTokenProcessor to validate plaintext passwords
> -----------------------------------------------------------------
>
>                 Key: WSS-183
>                 URL: https://issues.apache.org/jira/browse/WSS-183
>             Project: WSS4J
>          Issue Type: Improvement
>    Affects Versions: 1.5.7
>            Reporter: Colm O hEigeartaigh
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.6
>
>
> WSS4J has a long-standing issue where it requires the CallbackHandler 
> implementation to return the password for the password digest case (correct 
> behaviour), and validate the password in the CallbackHandler implementation 
> for the plaintext password case. This latter behaviour is an abuse of the 
> CallbackHandler interface, which was only designed to return a password, not 
> validate it. Secondly, it leads to potential security holes, where developers 
> might not be aware their CallbackHandler implementation needs to explicitly 
> throw an exception for the USERNAME_PASSWORD_UNKNOWN (plaintext or unknown) 
> case if they're only testing for USERNAME_PASSWORD (password digest) 
> callbacks.
> 1.6 gives us the chance to change this as we don't have the constraint of 
> backwards compatibility. The USERNAME_PASSWORD tag now refers to any Username 
> Token that is digested, plaintext, or of password type "null" (default to 
> plaintext as per the spec). For this case, the CallbackHandler is expected to 
> supply the password, and validation takes place in UsernameTokenProcessor. If 
> the user wants to implement custom token handling, the relevant WSSConfig 
> property can be set for a custom password type.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to