Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-25738

[GSS](7.4.z) JBWS-4389 - Wrong assumption about the Identity's password are all clearpassword

    XMLWordPrintable

Details

    Description

      There is wrong assumption about the password for the Identity is always clear password in the SubjectCreator.There could be md5 digest password and other types. Besides this issue, these lines logic seems not correct. These lines to get the clear password should only be needed by isDigest is true:

      RealmIdentity identity = securityDomain.getIdentity(principal.getName());
         if (identity.equals(RealmIdentity.NON_EXISTENT) || identity.getCredential(PasswordCredential.class) == null) {
            throw MESSAGES.authenticationFailed(principal.getName());
         }
         ClearPassword clearPassword = identity.getCredential(PasswordCredential.class).getPassword(ClearPassword.class);
         // only realms supporting getCredential with clear password can be used with Username Token profile
         if (clearPassword == null) {
            throw MESSAGES.authenticationFailed(principal.getName());
         }
         String expectedPassword = new String(clearPassword.getPassword());
         if (isDigest && created != null && nonce != null) { // username token profile is using digest
            // verify client's digest
            if (!getUsernameTokenPasswordDigest(nonce, created, expectedPassword).equals(password)) {
               throw MESSAGES.authenticationFailed(principal.getName());
            }

      https://github.com/jbossws/jbossws-cxf/blob/main/modules/server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.java#L94-L104

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBWS-4389 Wrong assumption about the Identity's password are all clearpassword

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-25748 (8.0.z) JBWS-4389 - Wrong assumption about the Identity's password are all clearpassword

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-25779 (7.4.z) Upgrade jboss-cxf from 5.4.8.Final-redhat-00001 to 5.4.9.Final-redhat-00001

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              dvilkola@redhat.com Diana Krepinska
              rhn-engineering-ema Jim Ma
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: