-
Bug
-
Resolution: Done
-
Major
-
jbossws-cxf-5.4.4.Final, jbossws-cxf-6.2.0.Final
-
None
There is wrong assumption about the password for the Identity is always clear password in the SubjectCreator.There could be md5 digest password and other types. Besides this issue, these lines logic seems not correct. These lines to get the clear password should only be needed by isDigest is true:
RealmIdentity identity = securityDomain.getIdentity(principal.getName());
if (identity.equals(RealmIdentity.NON_EXISTENT) || identity.getCredential(PasswordCredential.class) == null) {
throw MESSAGES.authenticationFailed(principal.getName());
}
ClearPassword clearPassword = identity.getCredential(PasswordCredential.class).getPassword(ClearPassword.class);
// only realms supporting getCredential with clear password can be used with Username Token profile
if (clearPassword == null) {
throw MESSAGES.authenticationFailed(principal.getName());
}
String expectedPassword = new String(clearPassword.getPassword());
if (isDigest && created != null && nonce != null) { // username token profile is using digest
// verify client's digest
if (!getUsernameTokenPasswordDigest(nonce, created, expectedPassword).equals(password)) {
throw MESSAGES.authenticationFailed(principal.getName());
}
- is cloned by
-
-
- Closed
-
-
-
- Closed
-