[jira] [Commented] (CXF-3484) Password set to null in UsernameTokenValidator

Tue, 03 May 2011 05:13:48 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-3484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028178#comment-13028178
 ] 

Nicolas Poirot commented on CXF-3484:
-------------------------------------

Maybe there is something I didn' understand...

I setup my web application according to 
http://cxf.apache.org/docs/ws-security.html (Spring XML Configuration), and it 
was working with cxf 2.2.3 : password was provided to my class implementing 
CallbackHandler and registered via the passwordCallbackRef key in the bean.xml 
config file.

Now with cxf 2.4.0 (and wss4j 1.6.0), the configuration is the same, but in my 
class the password is not provided anymore...

What are the changes between the 2 versions ? Is there something I missed ?

My class :
public final class PasswordHandler implements CallbackHandler {
  ...
  @Override
  public void handle(final Callback[] callbacks) throws IOException, 
UnsupportedCallbackException {
    for (Callback callback : callbacks) {
      final WSPasswordCallback wpcallback = (WSPasswordCallback) callback;
      if (null == wpcallback.getIdentifier()) {
        throw new SecurityException("No user provided");
      }
      if (null == wpcallback.getPassword()) {
        throw new SecurityException("No password provided");
      }
      ...
    }
    ...
  }
}


> Password set to null in UsernameTokenValidator
> ----------------------------------------------
>
>                 Key: CXF-3484
>                 URL: https://issues.apache.org/jira/browse/CXF-3484
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.4
>         Environment: Linux, jetty 6.10
>            Reporter: Nicolas Poirot
>            Priority: Minor
>              Labels: UserNameToken, security
>             Fix For: Invalid
>
>
> When trying to do basic authentication in Soap header with UserNameToken, 
> token is well read from XML, but badly passed to password callback.
> Line 165 of org.apache.ws.security.validate.UsernameTokenValidator :
> WSPasswordCallback pwCb = 
>             new WSPasswordCallback(user, null, pwType, 
> WSPasswordCallback.USERNAME_TOKEN, data);
> The password is set to null, while it has been correcty read just before.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to