[WSS-252] org.apache.ws.security.processor.UsernameTokenProcessor is not thread safe/prone to hacker attacks - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Won't Fix
Affects Version/s: 1.5.9
Fix Version/s: None
Component/s: WSS4J Handlers
Labels:
None
Environment:
Any

Description

The UsernameTokenProcessorshould be thread safe, but it caches the UsernameToken (ut) and its ID (utId). This may allow a hacker to access the system with incorrect password if two threads happen to go through the code in parallel.

Attachments

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Marek Cyzio

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 16/Nov/10 20:45

Updated:: 03/Oct/11 09:02

Resolved:: 11/Feb/11 12:11