Hi Alessio, Colm Unfortunately I did not have a system test involving this interceptor checking digest passwords (I have the one for a policy first case though), so the regression was not spotted, thanks Colm for applying a fix.
Alessio - as a workaround, while working with CXF 2.4.0, please override AbstractUsernameTokenAuthenticatingInterceptor.getSecurityEngine(boolean), and copy the code from the superclass but register another Validator implementation, which extends AbstractUsernameTokenAuthenticatingInterceptor.CustomValidator but overrides only its verifyDigestPassword method that should it till CXF 2.4.1 is released. One thing about using AbstractUsernameTokenAuthenticatingInterceptor is that it won't work in policy-first cases. Thus you might want to consider using another approach, extend org.apache.cxf.interceptor.security.AbstractUsernameTokenInterceptor which does not in turn extend WSS4JInInterceptor, please see http://cxf.apache.org/docs/security.html#Security-WSSecurityUsernameTokenandCustomAuthentication Thanks, Sergey On Wed, Apr 27, 2011 at 9:46 AM, Colm O hEigeartaigh <[email protected]> wrote: > Already taken care of.. > > https://issues.apache.org/jira/browse/CXF-3476 > > Colm. > > On Wed, Apr 27, 2011 at 9:32 AM, Alessio Soldano <[email protected]> wrote: >> On 04/27/2011 10:30 AM, Colm O hEigeartaigh wrote: >>> >>> Hi Alessio, >>> >>>> Did I miss something here? >>> >>> No, it's a bug. It should be "isHashed" not "isDerivedKey". >>> >>> Colm. >> >> OK, I can open a jira and fix that, or you're already doing it? >> Thanks >> Alessio >> >> -- >> Alessio Soldano >> Web Service Lead, JBoss >> >> >
