I have setup WSS4J using UsernameToken PasswordDigest . Everything works fine. The following article mentions: http://arsenalist.com/2007/07/31/cxf-ws-security-using-jsr-181-interceptor-annotations-xfire-migration/
"Since WSS4J validates a UsernameToken only if it finds a security header we need to cover the case where no security header is specified." Does it mean that client can manipulate header thus bypassing server side authentication? Can anybody show me how to disable or not set security header in client? -- View this message in context: http://www.nabble.com/How-to-disable-security-header-in-client-tp14624379p14624379.html Sent from the cxf-user mailing list archive at Nabble.com.
