Colm O hEigeartaigh commented on CXF-7677:

>From WSS4J 1.6.x, the way UsernameToken passwords were validated was changed. 
>This blog post lays it all out:


Essentially it doesn't pass the password through to the CallbackHandler any 
more. Instead, the CallbackHandler should supply the password for validation 
given the username. If you want to do some custom validation then instead you 
can implement your own WSS4J Validator.

> With CXF 3.2.1, using UsernameToken, cannot receive password in callback
> ------------------------------------------------------------------------
>                 Key: CXF-7677
>                 URL: https://issues.apache.org/jira/browse/CXF-7677
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.2.1
>         Environment: Java 8.
> CXF 3.2.1
> wss4j-2.1.jar
> xmlsec-2.1.0.jar
>            Reporter: Sumeet Mahajan
>            Priority: Critical
>         Attachments: soap-request.xml
> I am attaching my SOAP request.
> It has SOAP Header with usernametoken which also has username and password in 
> plain text.
> I wrote a CallbackHandler to receive this username and password on server.
> I used to get the username and password in cxf 2.7.6 in my callbackhandler. 
> Whereas in cxf 3.2.1 I am no longer getting password. Its coming in as null. 
> I did follow the new classes (WSPasswordCallback) and changed the package etc.

This message was sent by Atlassian JIRA

Reply via email to