[ https://issues.apache.org/jira/browse/CXF-3484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028178#comment-13028178 ]
Nicolas Poirot commented on CXF-3484: ------------------------------------- Maybe there is something I didn' understand... I setup my web application according to http://cxf.apache.org/docs/ws-security.html (Spring XML Configuration), and it was working with cxf 2.2.3 : password was provided to my class implementing CallbackHandler and registered via the passwordCallbackRef key in the bean.xml config file. Now with cxf 2.4.0 (and wss4j 1.6.0), the configuration is the same, but in my class the password is not provided anymore... What are the changes between the 2 versions ? Is there something I missed ? My class : public final class PasswordHandler implements CallbackHandler { ... @Override public void handle(final Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (Callback callback : callbacks) { final WSPasswordCallback wpcallback = (WSPasswordCallback) callback; if (null == wpcallback.getIdentifier()) { throw new SecurityException("No user provided"); } if (null == wpcallback.getPassword()) { throw new SecurityException("No password provided"); } ... } ... } } > Password set to null in UsernameTokenValidator > ---------------------------------------------- > > Key: CXF-3484 > URL: https://issues.apache.org/jira/browse/CXF-3484 > Project: CXF > Issue Type: Bug > Components: WS-* Components > Affects Versions: 2.4 > Environment: Linux, jetty 6.10 > Reporter: Nicolas Poirot > Priority: Minor > Labels: UserNameToken, security > Fix For: Invalid > > > When trying to do basic authentication in Soap header with UserNameToken, > token is well read from XML, but badly passed to password callback. > Line 165 of org.apache.ws.security.validate.UsernameTokenValidator : > WSPasswordCallback pwCb = > new WSPasswordCallback(user, null, pwType, > WSPasswordCallback.USERNAME_TOKEN, data); > The password is set to null, while it has been correcty read just before. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira