Hi Werner, Please consider the revised patch for WSS-54. I think that for the 2.0 timeframe we need to revisit the way things are handled in UsernameTokenProcessor, as delegating authentication to the password callback handler is not a good solution.
In the meantime, the revised patch preserves the old functionality, along with some extra bits and pieces, mainly the addition of an extra variable to control whether password types other than plaintext or digested are allowed. Thanks, Colm. -----Original Message----- From: Dittmann, Werner (NSN - DE/Muenich) [mailto:[EMAIL PROTECTED] Sent: 15 April 2008 08:13 To: ext Fred Dushin; wss4j-dev Subject: AW: WSS-54 Fred, Ruchith, all, first of all - thanks to Fred to take actions on all the open issues :-) As for WSS-54: in the orginal implementation the "handleUsernameToken()" checked the both types of passwords. After some discussions on the mailing list (back in 2004, WSS4J's stoneage :-) ) we modified the behaviour to check only the hashed passwords. The main reason was (as far as I can remember): - only for hashed passwords the WS-Security specs define how the validate it (using nonce, created time etc) - the plain password is just "plain" text - no validation is specified, thus we decided not to implement a check into the handler but to leave the check to ther server application. You may refer to the follwoing archived e-mail discussion: http://mail-archives.apache.org/mod_mbox/ws-fx-dev/200409.mbox/[EMAIL PROTECTED] IMHO implementing this patch brakes a behaviour that WSS4J provides since long and thus may break applications. Regards, Werner > -----Ursprüngliche Nachricht----- > Von: ext Fred Dushin [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 15. April 2008 01:51 > An: wss4j-dev > Betreff: WSS-54 > > Hi Ruchith, > > Could I ask you to take a look at Colm's patch for WSS-54? > > https://issues.apache.org/jira/browse/WSS-54 > > I'm +1 on the change, but I see you had some important comments in the > Jira trail, and before committing the change (or asking you to), I'd > like to make sure you're in agreement with it. > > Thanks! > -Fred > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
