Fred, Ruchith, all, first of all - thanks to Fred to take actions on all the open issues :-)
As for WSS-54: in the orginal implementation the "handleUsernameToken()" checked the both types of passwords. After some discussions on the mailing list (back in 2004, WSS4J's stoneage :-) ) we modified the behaviour to check only the hashed passwords. The main reason was (as far as I can remember): - only for hashed passwords the WS-Security specs define how the validate it (using nonce, created time etc) - the plain password is just "plain" text - no validation is specified, thus we decided not to implement a check into the handler but to leave the check to ther server application. You may refer to the follwoing archived e-mail discussion: http://mail-archives.apache.org/mod_mbox/ws-fx-dev/200409.mbox/[EMAIL PROTECTED] IMHO implementing this patch brakes a behaviour that WSS4J provides since long and thus may break applications. Regards, Werner > -----Ursprüngliche Nachricht----- > Von: ext Fred Dushin [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 15. April 2008 01:51 > An: wss4j-dev > Betreff: WSS-54 > > Hi Ruchith, > > Could I ask you to take a look at Colm's patch for WSS-54? > > https://issues.apache.org/jira/browse/WSS-54 > > I'm +1 on the change, but I see you had some important comments in the > Jira trail, and before committing the change (or asking you to), I'd > like to make sure you're in agreement with it. > > Thanks! > -Fred > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
