[ http://jira.codehaus.org/browse/XFIRE-387?page=comments#action_64944 ]
Tomasz Sztelak commented on XFIRE-387:
--------------------------------------
yes, in case of hashed password, exception is thrown if password doesn't match.
This is piece of code from wss4j :
String origPassword = pwCb.getPassword();
if (origPassword == null) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"noPassword", new Object[]{user});
}
if (nonce != null && createdTime != null) {
String passDigest = UsernameToken.doPasswordDigest(nonce,
createdTime, origPassword);
--->>> if (!passDigest.equals(password)) {
throw new
WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
}
But this code is executed only for hashed passwords.
hmm, i don't know why this works in different ways. Maybe its overlooked by
wss4j developers ;).
> USERNAME_TOKEN is not validating password from PasswordCallback
> ---------------------------------------------------------------
>
> Key: XFIRE-387
> URL: http://jira.codehaus.org/browse/XFIRE-387
> Project: XFire
> Type: Bug
> Versions: 1.1-RC1
> Environment: jdk1.5.0_06
> Reporter: Brian Bonner
> Assignee: Tomasz Sztelak
> Attachments: ws-security-testcase-patch.txt
>
>
> Does the password use the callback value only if Digest is specified?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
