cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alessio Soldano <>
Subject WS-Security Username Token w/ Digest issue on CXF 2.4
Date Tue, 26 Apr 2011 21:39:24 GMT
I'm running a test leveraging WS-Sec UsernameToken profile for 
authentication/authorization and in particular sends PasswordDigest type 
I have a custom interceptor that extends, 
implementing the method

protected abstract Subject createSubject(String name,
                                     String password,
                                     boolean isDigest,
                                     String nonce,
                                     String created) throws 

in particular my interceptor relies on the isDigest boolean parameter 
for internally using a digest aware callback handler. The problem I'm 
seeing is that "isDigest" parameter is actually set as follows in 

         protected void verifyDigestPassword(
             RequestData data
         ) throws WSSecurityException {
             if (!supportDigestPasswords) {
                 throw new 
             String user = usernameToken.getName();
             String password = usernameToken.getPassword();
             boolean isHashed = usernameToken.isDerivedKey();
             String nonce = usernameToken.getNonce();
             String createdTime = usernameToken.getCreated();
                 user, password, isHashed, nonce, createdTime

as far as I understand, isHashed=usernameToken.isDerivedKey() considers 
the Salt/Iteration elements that have been added in WS-Security 
UsernameToken Profile 1.1. But when using 1.0 or simply only setting the 
password type to digest, that parameter is false, hence the implementor 
of createSubject method is not passed the proper info.
Did I miss something here? The same custom interceptor used to work 
properly with CXF 2.3.x (Sergey originally wrote it :-) )


Alessio Soldano
Web Service Lead, JBoss

View raw message