Hi Frode, > Is this a conscious choice? If so, why?
The Username Token Profile 1.1 states in relation to the password type: "This optional URI attribute specifies the type of password being provided. The table below identifies the pre-defined types (note that the URI fragments are relative to the URI for this specification)." My reading of this is that the URI fragments are given for convenience, but that the full URI containing the Username Token namespace is required in practice. I'm open to correction on this though. Any opinions on this? Btw I spotted another bug when I was looking at the code + spec: https://issues.apache.org/jira/browse/WSS-152 Colm. -----Original Message----- From: Frode Ruud Laukus [mailto:[EMAIL PROTECTED] Sent: 14 November 2008 12:05 To: [email protected] Subject: UsernameTokenProcessor and plain text UsernameTokens Hello, I have a question regarding UsernameTokenProcessor and plain text UsernameTokens in WSS4J. This is lines 139-146 from latest version of org.apache.ws.security.processor.UsernameTokenProcessor.java: if (cb == null) { throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback"); } else if (!WSConstants.PASSWORD_TEXT.equals(pwType) && !handleCustomPasswordTypes) { if (log.isDebugEnabled()) { log.debug("Authentication failed as handleCustomUsernameTokenTypes is false"); } throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION); } These are two of the constant fields in the WSConstants class and their values: WSConstants.PASSWORD_TEXT = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token- profile-1.0#PasswordText" WSConstants.PW_TEXT = "PasswordText" Right now the UsernameTokenProcessor only evaluates a plain text UsernameToken when the type declaration in the UsernameToken is the same as the long version WSConstants.PASSWORD_TEXT. Is this a conscious choice? If so, why? Or should the else if statement rather be something like this? else if ((!WSConstants.PASSWORD_TEXT.equals(pwType) || !WSConstants.PW_TEXT.equals(pwType)) && !handleCustomPasswordTypes) { Thanks! Best regards Frode Laukus --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
