Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-514

SpringPlainTextPasswordValidationCallbackHandler doesn't override handleUsernameToken

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Invalid
    • Affects Version/s: 1.5.6
    • Fix Version/s: 1.5.7
    • Component/s: Security
    • Labels:
      None

      Description

      SpringPlainTextPasswordValidationCallbackHandler overrides handleUsernameTokenUnknown() with code that looks like it should be in handleUsernameToken(),. i.e. the code that actually delegates to Spring Security's AuthenticationManager.

      The result is that the class doesn't work at all, throwing an UnsupportedCallbackException for all authentication attempts. Moving the relevant code to handleUsernameToken() fixes things and all works as expected.

        Activity

        Hide
        tareq Tareq Abedrabbo added a comment -

        Hi Craig,

        Could you share some more details to help understanding the issue? What application context configuration are you using? A sample code would be ideal

        Thanks,

        Tareq

        Show
        tareq Tareq Abedrabbo added a comment - Hi Craig, Could you share some more details to help understanding the issue? What application context configuration are you using? A sample code would be ideal Thanks, Tareq
        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        I think Craig was suggesting that the WSS4J SpringPlainTextPasswordValidationCallbackHandler also override the method handleUsernameToken(). At this point, it only override handleUsernameTokenUnknown. I don't know why this is, can you shine a little light on this, Tareq?

        Show
        arjen.poutsma Arjen Poutsma added a comment - I think Craig was suggesting that the WSS4J SpringPlainTextPasswordValidationCallbackHandler also override the method handleUsernameToken(). At this point, it only override handleUsernameTokenUnknown. I don't know why this is, can you shine a little light on this, Tareq?
        Hide
        tareq Tareq Abedrabbo added a comment -

        Craig,

        SpringPlainTextPasswordValidationCallbackHandler's handleUsernameTokenUnknown is called to handle plain text username tokens solely(yes, wss4j's choice of name is a bit unfortunate here).
        I suspect you're configuring your security interceptor with a SpringPlainTextPasswordValidationCallbackHandler while the username tokens you're receiving contain digest passwords, in which case you should use SpringDigestPasswordValidationCallbackHandlerTest.

        Tareq

        Show
        tareq Tareq Abedrabbo added a comment - Craig, SpringPlainTextPasswordValidationCallbackHandler's handleUsernameTokenUnknown is called to handle plain text username tokens solely(yes, wss4j's choice of name is a bit unfortunate here). I suspect you're configuring your security interceptor with a SpringPlainTextPasswordValidationCallbackHandler while the username tokens you're receiving contain digest passwords, in which case you should use SpringDigestPasswordValidationCallbackHandlerTest. Tareq
        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        Closing as invalid for now, we can always reopen for 1.5.8

        Show
        arjen.poutsma Arjen Poutsma added a comment - Closing as invalid for now, we can always reopen for 1.5.8
        Hide
        craigday Craig Day added a comment -

        Hi Arjen, Tareq,

        Ive had a chance to have another look at this and Tareq is correct. I am using plaintext passwords, but at the time my test client must have been generating hashed/digest requests. The auth requests now end up on the very poorly named handleUsernameTokenUnknown() method - Thanks for your time.

        Cheers
        Craig

        Show
        craigday Craig Day added a comment - Hi Arjen, Tareq, Ive had a chance to have another look at this and Tareq is correct. I am using plaintext passwords, but at the time my test client must have been generating hashed/digest requests. The auth requests now end up on the very poorly named handleUsernameTokenUnknown() method - Thanks for your time. Cheers Craig
        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        Closing old issues

        Show
        arjen.poutsma Arjen Poutsma added a comment - Closing old issues

          People

          • Assignee:
            arjen.poutsma Arjen Poutsma
            Reporter:
            craigday Craig Day
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: