On Jan 30, 2013 9:05 AM, "Ruchith Fernando" <ruchith.ferna...@gmail.com> wrote: > > Hi Brian, > > On Wed, Jan 30, 2013 at 8:44 AM, Brian Reinhold > <brianreinh...@lampreynetworks.com> wrote: > > Interesting! I will need to look at these > > > > What I did instead was to change the UsernameTokenValidator.java file in > > WSS4J. In that file when the callback was being created they simply placed > > null for the password. I removed the null and put in the password. However, > > this admittedly broke their model. Now the user was responsible for > > indicated to WSS4J that the password was good (by not changing it) or bad > > (by changing it to something else). Before the user had to ALWAYS provide > > the ACTUAL password (which did not work in the case if one stored digests). > > > > This statement is not correct.
But this certainly is the behavior in the current release (1.6.2). Thanks, Ruchith > In previous versions of WSS4J/Rampart user _only_ had to provide the > actual password in the serverside in case > "WSPasswordCallback.USERNAME_TOKEN_UNKNOWN". > This was set when there was an incoming UsernameToken with a plain > text password. > > Thanks, > Ruchith
