Simon Jongsma created RAMPART-385:
-------------------------------------
Summary: Rampart does check username token password (via
callback), even though "NoPassword" was specified in Security Policy
Key: RAMPART-385
URL: https://issues.apache.org/jira/browse/RAMPART-385
Project: Rampart
Issue Type: Question
Environment: JBoss 5.1.2
Axis2 1.6.2
Rampart/Rahas 1.6.2
Reporter: Simon Jongsma
A Policy was specified on a web service as such:
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:NoPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
If the request contains username token + password in security header, I would
expect (hope) rampart to ignore
the password or complain that a password is present (i'm not sure about the
meaning of NoPassword in this respect).
Anyway: rampart will go into the password callback and require us to supply the
value.
Is this correct?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
