Werner, can you point me to a link to find this? I can't find anything that describes the reason behind the behavior
I've searched here: http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ?highlight=%28wss4j%29
Thanks. On 5/8/06, Werner Dittmann <[EMAIL PROTECTED]> wrote:
Please have a look at WSS4J Wiki - there is a explanation of this behavior and the reason behind. Regards, Werner Brian Bonner wrote: > The callback handler for Passwords is called for both the Plaintext > and the Digest scenarios. > > However, it appears that only in the Digest scenario are the passwords > checked with one another. This doesn't seem to be consistent. > > If the password returned for plaintext authentication doesn't match > the password being sent in on the request, shouldn't a > > WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION); > > also be thrown? > > > I believe this is happening because of the following: > > 1. The UsernameToken has: > > protected boolean hashed = true; > > so the default is that the CallbackHandler is called regardless of if > it's Plaintext or Digest. > > Second, this agrees with the specification of WSHandlerConstants which > state that the Default is PW_DIGEST. > > Yet according to this documentation (line 173 on page 9). PW_TEXT > should be the default. > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf > > > I realize that for WSS4J the desire is to have people use Digest > authentication by default, but this can cause confusion with people > who are new to WSS4J and sending requests in using plaintext over SSL > connections. > > 2. The UsernameTokenProcessor only hits the callback if the > usernameToken is hashed. > > Based on this it appears that the original intent was that the > CallbackHandler would only be for Digest passwords. > > This would also seem to indicate that the CallbackHandler is not the > place to call a login module to verify that the user is authenticated. > > To me, this is confusing. > > > This can probably be fixed by changing hashed = false. and changing > the WSHandlerConstant docs, which would make it more consistent with > the OASIS docs. But it seems like there is an opportunity to hook > into a login module here for security purposes. > > Thanks, > > Brian > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
