xwss
  1. xwss
  2. XWSS-27

SecurityConfigurationXmlReader ignores digestPassword in xml

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Incomplete
    • Affects Version/s: current
    • Fix Version/s: milestone 1
    • Component/s: www
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: All

    • Issuezilla Id:
      27

      Description

      I found a bug in SecurityConfigurationXmlReader - it ignores digestPassword
      attribute, which is mentioned in ConfigurationConstants.java. As a result,
      plaintext password which can be found in <Username> element of
      Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"
      is not supported (only digested works). Exception WSS1404.notmet.digested will
      be thrown.

      Example SOAP that is rejected (it was generated by Oracle BPEL):

      "<soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"
      xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"><soap:Header><wsse:Security
      xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"
      xmlns=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"
      xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\"
      soap:mustUnderstand=\"1\"><wsse:UsernameToken
      xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"
      xmlns=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"><wsse:Username>XXXXXXXXX</wsse:Username><wsse:Password
      Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">XXXXXXXX</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body
      xmlns:ns1=\"http://xmlns.oracle.com/transferCredit\"><ns1:transferCreditProcessRequest><ns1:destination_deviceid>XXXXXXX</ns1:destination_deviceid><ns1:sum>0.001</ns1:sum></ns1:transferCreditProcessRequest></soap:Body></soap:Envelope>";

      I used XWSS 2.0 style configuration:

      "<xwss:SecurityConfiguration dumpMessages=\"true\"
      xmlns:xwss=\"http://java.sun.com/xml/ns/xwss/config\"><xwss:UsernameToken
      digestPassword=\"false\"
      /><xwss:RequireUsernameToken/></xwss:SecurityConfiguration>";

        Activity

        Hide
        jarol1 added a comment -

        Close this issue, the correct configuration is:

        "<xwss:SecurityConfiguration dumpMessages=\"true\"
        xmlns:xwss=\"http://java.sun.com/xml/ns/xwss/config\"><xwss:UsernameToken
        useNonce=\"false\" digestPassword=\"false\"/><xwss:RequireUsernameToken
        nonceRequired=\"false\"
        passwordDigestRequired=\"false\"/></xwss:SecurityConfiguration>";

        Show
        jarol1 added a comment - Close this issue, the correct configuration is: "<xwss:SecurityConfiguration dumpMessages=\"true\" xmlns:xwss=\"http://java.sun.com/xml/ns/xwss/config\"><xwss:UsernameToken useNonce=\"false\" digestPassword=\"false\"/><xwss:RequireUsernameToken nonceRequired=\"false\" passwordDigestRequired=\"false\"/></xwss:SecurityConfiguration>";
        Hide
        kumarjayanti added a comment -

        closing the issue as suggested by user.

        Show
        kumarjayanti added a comment - closing the issue as suggested by user.

          People

          • Assignee:
            xwss-issues
            Reporter:
            jarol1
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: