That is not my experience. When using plain text password (or any password) for the USERNAME_TOKEN case, invoking the getPassword() always returns null.
Looking at the code in WSS4J, I can see why. The version I have of WSS4J is 1.6.6 and the version of Rampart is 1.6.2. Brian From: Ruchith Fernando [mailto:[email protected]] Sent: Wednesday, January 30, 2013 8:33 AM To: [email protected] Subject: Re: Rampart STS Username service not returning password in callback On Jan 30, 2013 9:05 AM, "Ruchith Fernando" <[email protected]> wrote: > > Hi Brian, > > On Wed, Jan 30, 2013 at 8:44 AM, Brian Reinhold > <[email protected]> wrote: > > Interesting! I will need to look at these > > > > What I did instead was to change the UsernameTokenValidator.java file in > > WSS4J. In that file when the callback was being created they simply placed > > null for the password. I removed the null and put in the password. However, > > this admittedly broke their model. Now the user was responsible for > > indicated to WSS4J that the password was good (by not changing it) or bad > > (by changing it to something else). Before the user had to ALWAYS provide > > the ACTUAL password (which did not work in the case if one stored digests). > > > > This statement is not correct. But this certainly is the behavior in the current release (1.6.2). Thanks, Ruchith > In previous versions of WSS4J/Rampart user _only_ had to provide the > actual password in the serverside in case > "WSPasswordCallback.USERNAME_TOKEN_UNKNOWN". > This was set when there was an incoming UsernameToken with a plain > text password. > > Thanks, > Ruchith No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.2890 / Virus Database: 2639/6066 - Release Date: 01/29/13 _____ No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.2890 / Virus Database: 2639/6066 - Release Date: 01/29/13
