Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-25738

[GSS](7.4.z) JBWS-4389 - Wrong assumption about the Identity's password are all clearpassword

XMLWordPrintable

      There is wrong assumption about the password for the Identity is always clear password in the SubjectCreator.There could be md5 digest password and other types. Besides this issue, these lines logic seems not correct. These lines to get the clear password should only be needed by isDigest is true:

      RealmIdentity identity = securityDomain.getIdentity(principal.getName());
         if (identity.equals(RealmIdentity.NON_EXISTENT) || identity.getCredential(PasswordCredential.class) == null) {
            throw MESSAGES.authenticationFailed(principal.getName());
         }
         ClearPassword clearPassword = identity.getCredential(PasswordCredential.class).getPassword(ClearPassword.class);
         // only realms supporting getCredential with clear password can be used with Username Token profile
         if (clearPassword == null) {
            throw MESSAGES.authenticationFailed(principal.getName());
         }
         String expectedPassword = new String(clearPassword.getPassword());
         if (isDigest && created != null && nonce != null) { // username token profile is using digest
            // verify client's digest
            if (!getUsernameTokenPasswordDigest(nonce, created, expectedPassword).equals(password)) {
               throw MESSAGES.authenticationFailed(principal.getName());
            }

      https://github.com/jbossws/jbossws-cxf/blob/main/modules/server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.java#L94-L104

            dvilkola@redhat.com Diana Krepinska
            rhn-engineering-ema Jim Ma
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: