[jira] [Commented] (RAMPART-385) Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy

Sun, 09 Sep 2012 11:31:11 -0700 

    [ 
https://issues.apache.org/jira/browse/RAMPART-385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13451649#comment-13451649
 ] 

Suresh Attanayake commented on RAMPART-385:
-------------------------------------------

Hi,

This is not a bug. You must have used the WS-SecurityPolicy version 1.1. The 
<sp:NoPassword../> is not a part of the WS-SecurityPolicy version 1.1. It is 
defined in the WS-SecurityPolicy version 1.2. 
So use policy version 1.2. Rampart handles the NoPassword policy well. 
Anyhow I have added done policy validation on this. It is with the patch 
(RAMPART-385.patch) attached herewith. 

Thanks,
-Suresh 
                
> Rampart does check username token password (via callback), even though 
> "NoPassword" was specified in Security Policy
> --------------------------------------------------------------------------------------------------------------------
>
>                 Key: RAMPART-385
>                 URL: https://issues.apache.org/jira/browse/RAMPART-385
>             Project: Rampart
>          Issue Type: Question
>         Environment: JBoss 5.1.2 
> Axis2 1.6.2 
> Rampart/Rahas 1.6.2
>            Reporter: Simon Jongsma
>
> A Policy was specified on a web service as such:
>                                       <sp:SupportingTokens>
>                                               <wsp:Policy>
>                                                       <sp:UsernameToken 
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
>                                                       <wsp:Policy>
>                                                        <sp:NoPassword/>
>                                                       </wsp:Policy>
>                                             </sp:UsernameToken>               
>                                       </wsp:Policy>
>                                       </sp:SupportingTokens>
> If the request contains username token + password in security header, I would 
> expect (hope) rampart to ignore 
> the password or complain that a password is present (i'm not sure about the 
> meaning of NoPassword in this respect).
> Anyway: rampart will go into the password callback and require us to supply 
> the value.
> Is this correct?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Reply via email to