Yup this looks like a bug alright, that will have to be fixed in 1.5.5 I guess. Can you file a separate JIRA for it?
Colm. -----Original Message----- From: Sérgio Patrício (JIRA) [mailto:[EMAIL PROTECTED] Sent: 06 June 2008 15:12 To: [email protected] Subject: [jira] Commented: (WSS-68) No way to create a UsernameToken with absent <Password> element [ https://issues.apache.org/jira/browse/WSS-68?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12603052#action_12603052 ] Sérgio Patrício commented on WSS-68: ------------------------------------ I confused UsernameToken derived key and secret key. When using a derived key the password is not attached. In the UsernameTokenSignedAction is used a secret key from UsernameToken and not a derived key. But in this case the password is attached, isn't this wrong? It seems to me that this way all the required elements to create the secret key (password+nonce+created) go in the soap message and then the signature can be easily faked. > No way to create a UsernameToken with absent <Password> element > --------------------------------------------------------------- > > Key: WSS-68 > URL: https://issues.apache.org/jira/browse/WSS-68 > Project: WSS4J > Issue Type: Bug > Reporter: George Stanchev > Fix For: 1.5.4 > > Attachments: UsernameToken.java, wss4j-1.5.3.patch, > WSSecUsernameToken.java > > > We should be able to create UsernameTokens without <Password> in them if > needed. Password is an optional element -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
