Revert "[JBWS-4389] Use TwoWayPassword in a UsernameToken profile ins…

…tead of ClearPassword" This reverts commit 7cc0bf7.
jbliznak · Nov 12, 2023 · eaca703 · eaca703
1 parent 249eb28
commit eaca703
Show file tree

Hide file tree

Showing 6 changed files with 7 additions and 185 deletions.
diff --git a/modules/client/src/main/java/org/jboss/wsf/stack/cxf/i18n/Loggers.java b/modules/client/src/main/java/org/jboss/wsf/stack/cxf/i18n/Loggers.java
@@ -260,12 +260,4 @@ public interface Loggers extends BasicLogger
     @LogMessage(level = ERROR)
     @Message(id = 24115, value = "Failed to compute UsernameToken profile digest from expected password")
     void failedToComputeUsernameTokenProfileDigest();
-
-    @LogMessage(level = TRACE)
-    @Message(id = 24116, value = "Plain text password for principal: %s must be recoverable when UsernameToken Profile is used with PasswordDigest")
-    void plainTextPasswordMustBeRecoverable(String principal, @Cause Throwable cause);
-
-    @LogMessage(level = TRACE)
-    @Message(id = 24117, value = "Security realm is not available, could not authenticate a user, principal=%s")
-    void realmNotAvailable(String principal);
 }
diff --git a/.../server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.java b/.../server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.java
@@ -27,27 +27,24 @@
 import java.io.ByteArrayOutputStream;
 import java.io.UnsupportedEncodingException;
 import java.nio.ByteBuffer;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
 import java.security.Principal;
-import java.security.spec.InvalidKeySpecException;
 import java.util.Base64;
 import java.util.Calendar;
 import java.util.TimeZone;
 
 import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
 
 import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.cxf.common.security.SimplePrincipal;
 import org.jboss.wsf.spi.security.SecurityDomainContext;
+import org.jboss.wsf.stack.cxf.security.authentication.callback.UsernameTokenCallbackHandler;
 import org.jboss.wsf.stack.cxf.security.nonce.NonceStore;
 import org.wildfly.security.auth.server.RealmIdentity;
 import org.wildfly.security.auth.server.RealmUnavailableException;
 import org.wildfly.security.auth.server.SecurityDomain;
 import org.wildfly.security.credential.PasswordCredential;
-import org.wildfly.security.password.PasswordFactory;
-import org.wildfly.security.password.TwoWayPassword;
-import org.wildfly.security.password.spec.ClearPasswordSpec;
+import org.wildfly.security.password.interfaces.ClearPassword;
 
 /**
  * Creates Subject instances after having authenticated / authorized the provided
@@ -103,17 +100,12 @@ public Subject createSubject(SecurityDomainContext ctx, String name, String pass
          }
          if (isDigest && created != null && nonce != null) { // username token profile is using digest
             // verify client's digest
-            TwoWayPassword recoveredTwoWayPassword = identity.getCredential(PasswordCredential.class).getPassword(TwoWayPassword.class);
-            if (recoveredTwoWayPassword == null) {
-               SECURITY_LOGGER.plainTextPasswordMustBeRecoverable(principal.getName(), null);
-               throw MESSAGES.authenticationFailed(principal.getName());
-            }
-            PasswordFactory passwordFactory = PasswordFactory.getInstance(recoveredTwoWayPassword.getAlgorithm());
-            String expectedPassword = new String(passwordFactory.getKeySpec(passwordFactory.translate(recoveredTwoWayPassword), ClearPasswordSpec.class).getEncodedPassword());
-            // only realms supporting getCredential with plain text password can be used with PasswordDigest type
-            if (expectedPassword.isEmpty()) {
+            ClearPassword clearPassword = identity.getCredential(PasswordCredential.class).getPassword(ClearPassword.class);
+            // only realms supporting getCredential with clear password can be used with Username Token profile
+            if (clearPassword == null) {
                throw MESSAGES.authenticationFailed(principal.getName());
             }
+            String expectedPassword = new String(clearPassword.getPassword());
             if (!getUsernameTokenPasswordDigest(nonce, created, expectedPassword).equals(password)) {
                throw MESSAGES.authenticationFailed(principal.getName());
             }
@@ -128,10 +120,6 @@ public Subject createSubject(SecurityDomainContext ctx, String name, String pass
          }
 
       } catch (RealmUnavailableException e) {
-         SECURITY_LOGGER.realmNotAvailable(principal.getName());
-         throw MESSAGES.authenticationFailed(principal.getName());
-      } catch (InvalidKeyException | InvalidKeySpecException | NoSuchAlgorithmException e) {
-         SECURITY_LOGGER.plainTextPasswordMustBeRecoverable(principal.getName(), e.getCause());
          throw MESSAGES.authenticationFailed(principal.getName());
       }
 

diff --git a/modules/testsuite/cxf-tests/src/test/cli/jbws-testsuite-default-elytron.cli b/modules/testsuite/cxf-tests/src/test/cli/jbws-testsuite-default-elytron.cli
@@ -95,25 +95,6 @@ echo JBossWSDigest domain config
 ./subsystem=undertow/application-security-domain=JBossWSDigest \
    :add(http-authentication-factory=JBossWSDigest)
 
-##----- JAASJBossWSDigestPropertiesRealm domain config ---------
-##----- JAASJBossWSDigestPropertiesRealm domain config ---------
-echo JBossWSDigest domain config
-# 1.
-./subsystem=elytron/properties-realm=JAASJBossWSDigestPropertiesRealm \
-   :add(users-properties={path=$testResourcesDir/jaxws/samples/wsse/policy/jaas/digest/WEB-INF/jbossws-users-digest.properties, plain-text=false}, \
-   groups-properties={path=$testResourcesDir/jaxws/samples/wsse/policy/jaas/digest/WEB-INF/jbossws-roles.properties})
-# 2.
-./subsystem=elytron/security-domain=JBossWSDigestPropertiesDomain \
-   :add(default-realm=JAASJBossWSDigestPropertiesRealm, permission-mapper=default-permission-mapper, \
-   realms=[{realm=JAASJBossWSDigestPropertiesRealm,role-decoder=groups-to-roles}])
-# 3.
-./subsystem=elytron/http-authentication-factory=JBossWSDigestProperties \
-   :add(security-domain=JBossWSDigestPropertiesDomain, http-server-mechanism-factory=global, \
-   mechanism-configurations=[{mechanism-name=BASIC, \
-   mechanism-realm-configurations=[{realm-name=JAASJBossWSDigestPropertiesRealm}] }])
-# 4.
-./subsystem=undertow/application-security-domain=JBossWSDigestPropertiesDomain \
-   :add(http-authentication-factory=JBossWSDigestProperties)
 
 ##----- JAASJBossWS domain config ---------
 echo JAASJBossWS domain config

diff --git a/...ws/samples/wsse/policy/jaas/UsernameAuthorizationTextDigestedPropertiesRealmTestCase.java b/...ws/samples/wsse/policy/jaas/UsernameAuthorizationTextDigestedPropertiesRealmTestCase.java
diff --git a/...sts/src/test/resources/jaxws/samples/wsse/policy/jaas/digest/WEB-INF/jboss-web-digest.xml b/...sts/src/test/resources/jaxws/samples/wsse/policy/jaas/digest/WEB-INF/jboss-web-digest.xml
diff --git a/...t/resources/jaxws/samples/wsse/policy/jaas/digest/WEB-INF/jbossws-users-digest.properties b/...t/resources/jaxws/samples/wsse/policy/jaas/digest/WEB-INF/jbossws-users-digest.properties