Ruchith, WSS4J does not authticate if PasswordText is specified, it just returns the data to the application (Axis service). Also, in case of username token the password is optional.
Indeed you are right about the specification of the password callback: we shall make it optional in case of PasswordText. Regards, Werner > -----Urspr�ngliche Nachricht----- > Von: Ruchith Fernando [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 3. Mai 2005 11:26 > An: WS-FX > Betreff: UsernameToken authentication when a plain text > password is used > > > Hi, > > I noticed that WSSecurityEngine doesn't authenticate the UsernameToken > when passwordType="PasswordText". > > -------------------------------------------------------------- > ------------------------------------------------------------- > public WSUsernameTokenPrincipal handleUsernameToken(Element token, > CallbackHandler cb) throws WSSecurityException { > ..... > ..... > if (ut.isHashed()) { > //Authenticates the UT > } > > WSUsernameTokenPrincipal principal = new > WSUsernameTokenPrincipal(user, ut.isHashed()); > principal.setNonce(nonce); > principal.setPassword(password); > principal.setCreatedTime(createdTime); > > return principal; > } > > -------------------------------------------------------------- > ------------------------------------------------------------- > > Is the above behaviour correct? If it is, in a situation where there's > only a UsernameToken (passwordType="PasswordText") is sent in the > security header, why should one specify the callback handler at the > service deployment? > > It's clear that the service impl can authenticate the UT as well, > using the WSSecurityEngineResult vector from the msgContext, but why > not authenticate at the Engine in the above instance? > > OR have I missed something obvious :-) ? > > Thanks in advance, > Ruchith Fernando >
