Dan,
you are right. there is a setting in the WSSConfig obj to allow accepting out of spec password. however, WSS4JInInterceptor did not set WSSConfig before this call: wsResult = getSecurityEngine().processSecurityHeader(...) therefore, the securityEngine simply get the default WSSConfig, the setting does not take effect. i think the correct way should be: getSecurityEngine().setWssConfig(reqData.getWssConfig()); wsResult = getSecurityEngine().processSecurityHeader(...) am i right? dkulp wrote: > > > According to spec, the "Username" and "Password" child elements of > "UsernameToken" are NOT supposed to be qualified. The message you put > here > has them qualified. > > I think there is a setting in the WSConfig object to allow accepting the > out > of spec name/passwords, I'm just not sure how that would be used with the > WSS4JInInterceptor. I added some code last week to allow configuring in > a > specific WSConfig object relatively easily, but that's not available in a > release yet. > > Dan > > > -- View this message in context: http://old.nabble.com/An-invalid-security-token-was-provided-%28Bad-UsernameToken-Values%29-tp27429163p27456566.html Sent from the cxf-user mailing list archive at Nabble.com.