cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "yodasad (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-7255) Allow empty ("") passwords when calling a service
Date Mon, 20 Feb 2017 15:08:44 GMT
yodasad created CXF-7255:
----------------------------

             Summary: Allow empty ("") passwords when calling a service
                 Key: CXF-7255
                 URL: https://issues.apache.org/jira/browse/CXF-7255
             Project: CXF
          Issue Type: Improvement
    Affects Versions: 3.1.10
            Reporter: yodasad


If you want to use an empty password when calling a service, you get the following exception

{noformat}
org.apache.cxf.interceptor.Fault: No callback handler and no password available
	at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:172)
	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessageInternal(PolicyBasedWSS4JOutInterceptor.java:185)
	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:109)
	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:96)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
	at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277)
	at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:861)
	at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:61)
	at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:55)
	at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:51)
	at org.apache.cxf.ws.security.trust.STSTokenRetriever.getTokenFromSTS(STSTokenRetriever.java:427)
	at org.apache.cxf.ws.security.trust.STSTokenRetriever.issueToken(STSTokenRetriever.java:164)
	at org.apache.cxf.ws.security.trust.STSTokenRetriever.getToken(STSTokenRetriever.java:58)
	at org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:133)
{noformat}

unless there is a password type NoPassword explicitly set in a policy assertion:

{code:xml}
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
    <wsp:Policy>
        <sp:NoPassword /> 
        <sp:WssUsernameToken10/>
    </wsp:Policy>
</sp:UsernameToken>
{code}

But if there is no <NoPassword> assertion it doesn't mean that we cannot use empty password
(that is empty strings), does it?




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message