I think there is a problem in the way https://wso2.org/jira/browse/CARBONROADMAP-31 has been implemented.
I think the requirement is, if a service has been secured using UT policy, the client has two options: 1. Send credentials using basic auth HTTP headers 2. Send credentials using SOAP headers The POXSecurityHandler properly handles those two from the looks of it. However, if the client sends a SOAP message, without the basic auth HTTP headers & without SOAP headers, the current implementation of the POXSecurityHandler sends a basic auth challenge, and not a SOAP fault, which I consider is wrong. Thoughts? -- *Afkham Azeez* Director of Architecture; WSO2, Inc.; http://wso2.com Member; Apache Software Foundation; http://www.apache.org/ * <http://www.apache.org/>** email: **az...@wso2.com* <az...@wso2.com>* cell: +94 77 3320919 blog: **http://blog.afkham.org* <http://blog.afkham.org>* twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> * linked-in: **http://lk.linkedin.com/in/afkhamazeez* * * *Lean . Enterprise . Middleware*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev