Uploaded image for project: 'JBoss Web Services'
  1. JBoss Web Services
  2. JBWS-4389

Wrong assumption about the Identity's password are all clearpassword


      There is wrong assumption about the password for the Identity is always clear password in the SubjectCreator.There could be md5 digest password and other types. Besides this issue, these lines logic seems not correct. These lines to get the clear password should only be needed by isDigest is true:

      RealmIdentity identity = securityDomain.getIdentity(principal.getName());
               if (identity.equals(RealmIdentity.NON_EXISTENT) || identity.getCredential(PasswordCredential.class) == null) {
                  throw MESSAGES.authenticationFailed(principal.getName());
               ClearPassword clearPassword = identity.getCredential(PasswordCredential.class).getPassword(ClearPassword.class);
               // only realms supporting getCredential with clear password can be used with Username Token profile
               if (clearPassword == null) {
                  throw MESSAGES.authenticationFailed(principal.getName());
               String expectedPassword = new String(clearPassword.getPassword());
               if (isDigest && created != null && nonce != null) { // username token profile is using digest
                  // verify client's digest
                  if (!getUsernameTokenPasswordDigest(nonce, created, expectedPassword).equals(password)) {
                     throw MESSAGES.authenticationFailed(principal.getName());


            dvilkola@redhat.com Diana Krepinska
            rhn-engineering-ema Jim Ma
            0 Vote for this issue
            2 Start watching this issue