Steve, well, at the level of the WSSecurityEngine we could add the original exeption that causes the WSSecurityException.
On the other hand, if you supply too much information why a specific security check failed you may give a malicious person who tries to attack your system additional info how to proceed with the attack. Thus we decided to just say: "no password for xyz". This does not give info if there is a user "xyz" that has no password, or if there is a user "xyz" at all. Regards, Werner > -----Ursprüngliche Nachricht----- > Von: Steve Brunton [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 26. Juli 2005 20:59 > An: [email protected] > Betreff: PasswordCallback exception messages > > > Had a co-worker writing some testing code against a SOAP > service that I > wrote that is protected with the WS-Security using a Timestamp and > UsernameToken in the Security Header. As he was trying to debug his > application he kept on telling me that he was getting an error of : > > WSSecurityEngine: Callback supplied no password for: [EMAIL PROTECTED] > > even though he knew that a password was being supplied in the request > and when we watched through the TCP Monitor sure enough it was there. > > In backtracking through it looks like that in the > WSSecurityEngine it is > catching the UnsupportedCallbackException that I throw in my > PasswordCallbackHandler and not using the error message that I supply. > If there is no user in the LDAP call I throw an > UnsupportedCallbackException with a "noSuchUser" message. In > the Engine > on line 887 it catches that and then defaults to a > "noPassword" message > when it throws the WSSecurityException. Is this the planned > operation or > should it allow different error responses to flow back up the > Exception > chain? > > -- > Steve Brunton <[EMAIL PROTECTED]> Phone: 404-885-2436 > Chief Engineer AOL IM : schitzo42 > CNN Internet Technologies ICBM: 84W 23' 45" 33N 45' 29" > <*> Borrow money from pessimists-they don't expect it back. <*> > >
