Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-514

SpringPlainTextPasswordValidationCallbackHandler doesn't override handleUsernameToken

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Invalid
    • Affects Version/s: 1.5.6
    • Fix Version/s: 1.5.7
    • Component/s: Security
    • Labels:
      None

      Description

      SpringPlainTextPasswordValidationCallbackHandler overrides handleUsernameTokenUnknown() with code that looks like it should be in handleUsernameToken(),. i.e. the code that actually delegates to Spring Security's AuthenticationManager.

      The result is that the class doesn't work at all, throwing an UnsupportedCallbackException for all authentication attempts. Moving the relevant code to handleUsernameToken() fixes things and all works as expected.

        Activity

        craigday Craig Day created issue -
        arjen.poutsma Arjen Poutsma made changes -
        Field Original Value New Value
        Fix Version/s 1.5.7 [ 11173 ]
        arjen.poutsma Arjen Poutsma made changes -
        Assignee Arjen Poutsma [ arjen.poutsma ] Tareq Abed Rabbo [ tareq ]
        Hide
        tareq Tareq Abedrabbo added a comment -

        Hi Craig,

        Could you share some more details to help understanding the issue? What application context configuration are you using? A sample code would be ideal

        Thanks,

        Tareq

        Show
        tareq Tareq Abedrabbo added a comment - Hi Craig, Could you share some more details to help understanding the issue? What application context configuration are you using? A sample code would be ideal Thanks, Tareq
        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        I think Craig was suggesting that the WSS4J SpringPlainTextPasswordValidationCallbackHandler also override the method handleUsernameToken(). At this point, it only override handleUsernameTokenUnknown. I don't know why this is, can you shine a little light on this, Tareq?

        Show
        arjen.poutsma Arjen Poutsma added a comment - I think Craig was suggesting that the WSS4J SpringPlainTextPasswordValidationCallbackHandler also override the method handleUsernameToken(). At this point, it only override handleUsernameTokenUnknown. I don't know why this is, can you shine a little light on this, Tareq?
        tareq Tareq Abedrabbo made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Hide
        tareq Tareq Abedrabbo added a comment -

        Craig,

        SpringPlainTextPasswordValidationCallbackHandler's handleUsernameTokenUnknown is called to handle plain text username tokens solely(yes, wss4j's choice of name is a bit unfortunate here).
        I suspect you're configuring your security interceptor with a SpringPlainTextPasswordValidationCallbackHandler while the username tokens you're receiving contain digest passwords, in which case you should use SpringDigestPasswordValidationCallbackHandlerTest.

        Tareq

        Show
        tareq Tareq Abedrabbo added a comment - Craig, SpringPlainTextPasswordValidationCallbackHandler's handleUsernameTokenUnknown is called to handle plain text username tokens solely(yes, wss4j's choice of name is a bit unfortunate here). I suspect you're configuring your security interceptor with a SpringPlainTextPasswordValidationCallbackHandler while the username tokens you're receiving contain digest passwords, in which case you should use SpringDigestPasswordValidationCallbackHandlerTest. Tareq
        arjen.poutsma Arjen Poutsma made changes -
        Assignee Tareq Abed Rabbo [ tareq ] Arjen Poutsma [ arjen.poutsma ]
        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        Closing as invalid for now, we can always reopen for 1.5.8

        Show
        arjen.poutsma Arjen Poutsma added a comment - Closing as invalid for now, we can always reopen for 1.5.8
        arjen.poutsma Arjen Poutsma made changes -
        Status In Progress [ 3 ] Resolved [ 5 ]
        Resolution Invalid [ 6 ]
        Hide
        craigday Craig Day added a comment -

        Hi Arjen, Tareq,

        Ive had a chance to have another look at this and Tareq is correct. I am using plaintext passwords, but at the time my test client must have been generating hashed/digest requests. The auth requests now end up on the very poorly named handleUsernameTokenUnknown() method - Thanks for your time.

        Cheers
        Craig

        Show
        craigday Craig Day added a comment - Hi Arjen, Tareq, Ive had a chance to have another look at this and Tareq is correct. I am using plaintext passwords, but at the time my test client must have been generating hashed/digest requests. The auth requests now end up on the very poorly named handleUsernameTokenUnknown() method - Thanks for your time. Cheers Craig
        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        Closing old issues

        Show
        arjen.poutsma Arjen Poutsma added a comment - Closing old issues
        arjen.poutsma Arjen Poutsma made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open In Progress In Progress
        1d 4h 44m 1 Tareq Abedrabbo 18/May/09 6:45 AM
        In Progress In Progress Resolved Resolved
        1d 16h 3m 1 Arjen Poutsma 19/May/09 10:49 PM
        Resolved Resolved Closed Closed
        1080d 8h 14m 1 Arjen Poutsma 04/May/12 7:03 AM

          People

          • Assignee:
            arjen.poutsma Arjen Poutsma
            Reporter:
            craigday Craig Day
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: