[jira] Commented: (WSS-219) empty/blank password not supported in username token. value read by wss4j is null instead of empty string

Mon, 14 Jun 2010 03:17:45 -0700 

    [ 
https://issues.apache.org/jira/browse/WSS-219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12878520#action_12878520
 ] 

Colm O hEigeartaigh commented on WSS-219:
-----------------------------------------


Can you clarify whether a wsse:Password element is sent across the wire or not? 
So, does the UsernameToken look like this:

<wsse:UsernameToken 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="UsernameToken-15" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
    <wsse:Username>emptyuser</wsse:Username>
    <wsse:Password 
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"/>
</wsse:UsernameToken> 

or this:

<wsse:UsernameToken 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="UsernameToken-15" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
    <wsse:Username>emptyuser</wsse:Username>
</wsse:UsernameToken> 

Colm.

> empty/blank password not supported in username token. value read by wss4j is 
> null instead of empty string
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: WSS-219
>                 URL: https://issues.apache.org/jira/browse/WSS-219
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.5.8
>         Environment: Windows/ Solaris
>            Reporter: kumar ashutosh
>            Assignee: Colm O hEigeartaigh
>            Priority: Minor
>
> for noraml user name token password mechanism
> if client sets:
> user name = "user1"
> password="" // empty string
> Then WSS4j processes it as null. instead it should process it as empty string 
> of size 0 or throw exception as it does in case of username= null
> password= "   "// blank string with size>0
> Then it works fine.
> note: for password disgest empty password is replaced by default digest.
> It seems that the password is default initialized to null and is not being 
> reinitialized if string size 0.
> Appropriate correction or exc4eption mechanism suggested

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to