+1 Revised patch looks good. IMHO delegating authentication to the callback handler in the plain text case essential.
Thanks, Ruchith On Tue, Apr 15, 2008 at 4:05 PM, Dittmann, Werner (NSN - DE/Muenich) <[EMAIL PROTECTED]> wrote: > Colm, > > the revised patch seems ok to me. > > For the planned V2.0 : > shall we start some e-mail thread (or using the wiki?) > to gather some ideas and proposals what to address in V2.0? > > Regards, > Werner > > > -----Ursprüngliche Nachricht----- > > Von: ext O hEigeartaigh, Colm [mailto:[EMAIL PROTECTED] > > Gesendet: Dienstag, 15. April 2008 12:09 > > An: Dittmann, Werner (NSN - DE/Muenich); ext Fred Dushin; wss4j-dev > > Betreff: RE: WSS-54 > > > > > > Hi Werner, > > > > Please consider the revised patch for WSS-54. I think that > > for the 2.0 timeframe we need to revisit the way things are > > handled in UsernameTokenProcessor, as delegating > > authentication to the password callback handler is not a good > > solution. > > > > In the meantime, the revised patch preserves the old > > functionality, along with some extra bits and pieces, mainly > > the addition of an extra variable to control whether password > > types other than plaintext or digested are allowed. > > > > Thanks, > > > > Colm. > > > > -----Original Message----- > > From: Dittmann, Werner (NSN - DE/Muenich) > > [mailto:[EMAIL PROTECTED] > > Sent: 15 April 2008 08:13 > > To: ext Fred Dushin; wss4j-dev > > Subject: AW: WSS-54 > > > > Fred, Ruchith, all, > > > > first of all - thanks to Fred to take actions on all the open > > issues :-) > > > > As for WSS-54: in the orginal implementation the > > "handleUsernameToken()" > > checked the both types of passwords. After some discussions > > on the mailing > > list (back in 2004, WSS4J's stoneage :-) ) we modified the > > behaviour to > > check only the hashed passwords. The main reason was (as far > > as I can remember): > > - only for hashed passwords the WS-Security specs define how > > the validate > > it (using nonce, created time etc) > > - the plain password is just "plain" text - no validation is > > specified, thus > > we decided not to implement a check into the handler but to > > leave the > > check to ther server application. You may refer to the > > follwoing archived > > e-mail discussion: > > > > http://mail-archives.apache.org/mod_mbox/ws-fx-dev/200409.mbox > > /[EMAIL PROTECTED] > > > > IMHO implementing this patch brakes a behaviour that WSS4J > > provides since long > > and thus may break applications. > > > > Regards, > > Werner > > > > > -----Ursprüngliche Nachricht----- > > > Von: ext Fred Dushin [mailto:[EMAIL PROTECTED] > > > Gesendet: Dienstag, 15. April 2008 01:51 > > > An: wss4j-dev > > > Betreff: WSS-54 > > > > > > Hi Ruchith, > > > > > > Could I ask you to take a look at Colm's patch for WSS-54? > > > > > > https://issues.apache.org/jira/browse/WSS-54 > > > > > > I'm +1 on the change, but I see you had some important > > comments in the > > > Jira trail, and before committing the change (or asking you to), I'd > > > like to make sure you're in agreement with it. > > > > > > Thanks! > > > -Fred > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > ---------------------------- > > IONA Technologies PLC (registered in Ireland) > > Registered Number: 171387 > > Registered Address: The IONA Building, Shelbourne Road, > > Dublin 4, Ireland > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- http://blog.ruchith.org http://wso2.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
