[
https://issues.apache.org/jira/browse/CXF-2873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12885076#action_12885076
]
Glen Mazza commented on CXF-2873:
---------------------------------
This is the method you're referring to Sergey that Tomasz should implement,
correct? http://en.wikipedia.org/wiki/Digest_access_authentication
I would guess *only* digest authentication should be allowed and not the basic
auth (http://en.wikipedia.org/wiki/Basic_access_authentication) because of the
potential sensitivity of the SOAP request messages being viewed by the log
browser.
However, I don't see how supporting username/token as an additional method can
provide additional security, as you're just creating another door into the
system with a potentially unsecure (buggy) lock. Username/Token also requires
nonces and timestamp restraints (and the digest based on the same[1]) that
AFAIK aren't even handled with CXF's basic SOAP usernameToken/password
implementation.
[1]
http://old.nabble.com/Re%3A-How-to-configure-client-for-UsernameToken-with-plaintext-password-and-Nonce-p28117173.html
> Add authentication support (via HTTP basic authentication)
> ----------------------------------------------------------
>
> Key: CXF-2873
> URL: https://issues.apache.org/jira/browse/CXF-2873
> Project: CXF
> Issue Type: Sub-task
> Reporter: Tomasz Oponowicz
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
