Hello,
I have a question regarding UsernameTokenProcessor and plain text
UsernameTokens in WSS4J.
This is lines 139-146 from latest version of
org.apache.ws.security.processor.UsernameTokenProcessor.java:
if (cb == null) {
throw new
WSSecurityException(WSSecurityException.FAILURE, "noCallback");
} else if (!WSConstants.PASSWORD_TEXT.equals(pwType) &&
!handleCustomPasswordTypes) {
if (log.isDebugEnabled()) {
log.debug("Authentication failed as
handleCustomUsernameTokenTypes is false");
}
throw new
WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
These are two of the constant fields in the WSConstants class and their values:
WSConstants.PASSWORD_TEXT =
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";
WSConstants.PW_TEXT = "PasswordText"
Right now the UsernameTokenProcessor only evaluates a plain text
UsernameToken when the type declaration in the UsernameToken is the
same as the long version WSConstants.PASSWORD_TEXT.
Is this a conscious choice? If so, why?
Or should the else if statement rather be something like this?
else if ((!WSConstants.PASSWORD_TEXT.equals(pwType) ||
!WSConstants.PW_TEXT.equals(pwType)) && !handleCustomPasswordTypes) {
Thanks!
Best regards
Frode Laukus
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
