Bjørn Hilstad created CXF-8137:
----------------------------------
Summary: Using SecurityConstants.VALIDATE_TOKEN with
WSS4JInInterceptor no longer allows skipping validation of token
Key: CXF-8137
URL: https://issues.apache.org/jira/browse/CXF-8137
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 3.2.10
Reporter: Bjørn Hilstad
Have been using SecurityConstants.VALIDATE_TOKEN=false to skip validation of
UsernameToken with CXF 3.2.x successfully for a long time but this feature
broke in 3.2.10.
The reason is that the method getSecurityEngine(boolean utWithCallbacks) in
WSS4JInInterceptor returns a different SecurityEngine than before.
Up to version 3.2.9 using SecurityConstants.VALIDATE_TOKEN=false this method
gave a WSSecurityEngine which had a WSSConfig with a validatorMap where the
validator for
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken";
was a org.apache.wss4j.dom.validate.NoOpValidator.
>From 3.2.10 it gives a WSSecurityEngine that has a WSSConfig with a
>validatorMap where the validator for
>"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken";
> was a org.apache.wss4j.dom.validate.UsernameTokenValidator and hence the
>validation is NOT skipped anymore.
Should this feature still work for 3.2.10 or has it been removed on purpose?
Could probably be solved by just switching the order of the if-statements in
getSecurityEngine(boolean utWithCallbacks).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
