Colm, the revised patch seems ok to me.
For the planned V2.0 : shall we start some e-mail thread (or using the wiki?) to gather some ideas and proposals what to address in V2.0? Regards, Werner > -----Ursprüngliche Nachricht----- > Von: ext O hEigeartaigh, Colm [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 15. April 2008 12:09 > An: Dittmann, Werner (NSN - DE/Muenich); ext Fred Dushin; wss4j-dev > Betreff: RE: WSS-54 > > Hi Werner, > > Please consider the revised patch for WSS-54. I think that > for the 2.0 timeframe we need to revisit the way things are > handled in UsernameTokenProcessor, as delegating > authentication to the password callback handler is not a good > solution. > > In the meantime, the revised patch preserves the old > functionality, along with some extra bits and pieces, mainly > the addition of an extra variable to control whether password > types other than plaintext or digested are allowed. > > Thanks, > > Colm. > > -----Original Message----- > From: Dittmann, Werner (NSN - DE/Muenich) > [mailto:[EMAIL PROTECTED] > Sent: 15 April 2008 08:13 > To: ext Fred Dushin; wss4j-dev > Subject: AW: WSS-54 > > Fred, Ruchith, all, > > first of all - thanks to Fred to take actions on all the open > issues :-) > > As for WSS-54: in the orginal implementation the > "handleUsernameToken()" > checked the both types of passwords. After some discussions > on the mailing > list (back in 2004, WSS4J's stoneage :-) ) we modified the > behaviour to > check only the hashed passwords. The main reason was (as far > as I can remember): > - only for hashed passwords the WS-Security specs define how > the validate > it (using nonce, created time etc) > - the plain password is just "plain" text - no validation is > specified, thus > we decided not to implement a check into the handler but to > leave the > check to ther server application. You may refer to the > follwoing archived > e-mail discussion: > > http://mail-archives.apache.org/mod_mbox/ws-fx-dev/200409.mbox > /[EMAIL PROTECTED] > > IMHO implementing this patch brakes a behaviour that WSS4J > provides since long > and thus may break applications. > > Regards, > Werner > > > -----Ursprüngliche Nachricht----- > > Von: ext Fred Dushin [mailto:[EMAIL PROTECTED] > > Gesendet: Dienstag, 15. April 2008 01:51 > > An: wss4j-dev > > Betreff: WSS-54 > > > > Hi Ruchith, > > > > Could I ask you to take a look at Colm's patch for WSS-54? > > > > https://issues.apache.org/jira/browse/WSS-54 > > > > I'm +1 on the change, but I see you had some important > comments in the > > Jira trail, and before committing the change (or asking you to), I'd > > like to make sure you're in agreement with it. > > > > Thanks! > > -Fred > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > ---------------------------- > IONA Technologies PLC (registered in Ireland) > Registered Number: 171387 > Registered Address: The IONA Building, Shelbourne Road, > Dublin 4, Ireland > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
