[ http://jira.codehaus.org/browse/XFIRE-387?page=comments#action_64899 ]
Tomasz Sztelak commented on XFIRE-387:
--------------------------------------
Exactly. If you send password in plain form, the value from callback is
ignored. Its not even tested if it match the password provided inside message.
You can try validate password inside callback and throw exception if it fails
or just ignore it and use xfire handler to perform authentication on data from
MessageContext.
e.g.
public class MyPasswordHandler implements CallbackHandler {
...
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
// Ignore plain password case
if( WSPasswordCallback.USERNAME_TOKEN_UNKNOWN == pc.getUsage() ){
return;
}
// Hashed password case, provide valid password
String id = pc.getIdentifer();
pc.setPassword((String) passwords.get(id));
}
> USERNAME_TOKEN is not validating password from PasswordCallback
> ---------------------------------------------------------------
>
> Key: XFIRE-387
> URL: http://jira.codehaus.org/browse/XFIRE-387
> Project: XFire
> Type: Bug
> Versions: 1.1-RC1
> Environment: jdk1.5.0_06
> Reporter: Brian Bonner
> Assignee: Tomasz Sztelak
> Attachments: ws-security-testcase-patch.txt
>
>
> Does the password use the callback value only if Digest is specified?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
