Tag Archives: Username

Apache CXF Username Token Broken Validation

Apache CXF versions 2.4.5 and 2.5.1 fail to validate a WS-Security UsernameToken received as part of the security header of a SOAP request against a WS-SP UsernameToken policy. CXF does not validate a WS-Security UsernameToken received as part of the security header of a SOAP request against a WS-SP UsernameToken policy.

A malicious client could send a request to the endpoint with no UsernameToken, and the UsernameToken policy requirement would still be marked as valid.
View Source