cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Rick.Ja...@swisscom.com>
Subject RE: Configured WS-Security UsernameToken PasswordDigest accepts PasswordText
Date Mon, 13 Jul 2009 11:39:53 GMT
Hello Glen,

thank you for your response.

I read [1] before and now once again but I can not find any explaination, how to make my service
accept only PasswordDigest and reject PasswordText.

     <entry key="passwordType" value="PasswordDigest"/> 

as contructor argument for WSS4JInInterceptor seems to be ignored completely. With this configuration,
the interceptor hands over all PasswordText authentication requests to my handler that was
designed to autheticate PasswordDigest requests. So I'm not sure, what the passwordType parameter
is good for at the server side, if the  it does not declare the authentication type that my
service accepts. 

And within the callback handler I can not check for PasswordDigest as of pc.getPasswordType()
will return 'null', if a security header with PasswordDigest was submitted, thus

        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

        if (!WSConstants.PW_DIGEST.equals(pc.getPasswordType())) {
            throw new IOException("Wrong password type. The only allowed type is '" + WSConstants.PW_DIGEST
+ "'");
        }

in the callback handler does also not work, too.

I'm sorry, that I have to bother you again with my issue, but I would be really grateful,
if you could have a look at it again.

Thank you in advance,
Rick

-----Original Message-----
From: Glen Mazza [mailto:glen.mazza@gmail.com] 
Sent: Friday, July 10, 2009 9:41 PM
To: users@cxf.apache.org
Subject: Re: Configured WS-Security UsernameToken PasswordDigest accepts PasswordText


Yes, check[1], search on the text "Note that for the special case of a plain-text password".
 Hopefully this will get changed relatively soon[2].

[1] http://cwiki.apache.org/CXF20DOC/ws-security.html
[2] https://issues.apache.org/jira/browse/WSS-183

Glen


Rick.Janda wrote:
> 
> Do you have idea, how to make CXF rejecting anything else than 
> PasswordDigest?
> Or have I missed something in the documentation? 
> 


--
View this message in context: http://www.nabble.com/Configured-WS-Security-UsernameToken-PasswordDigest-accepts-PasswordText-tp24432779p24433414.html
Sent from the cxf-user mailing list archive at Nabble.com.


Mime
View raw message