User development, A new message was posted in the thread "UserNameToken - Password not optional":
http://community.jboss.org/message/532764#532764 Author : Rune Molin Profile : http://community.jboss.org/people/rmolin Message: -------------------------------------------------------------- Hello everyone I'm working on securing webservices using WS-Security Username Token Profile, but it occurs to me that JBossWS doesn't quite implement this standard faithfully. The way I read http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf it says that "Within <wsse:UsernameToken> element, a <wsse:Password> element *may* be specified." But from reading the implementation of org.jboss.ws.extensions.security.element.UsernameToken it very much looks like the password element actually is required. Confirm ? I'm using JBoss EAP 4.3.0.GA CP07, but the code is virtually the same in the JBossWS Stack Native trunk. My objective is to propagate the end user ID to the service, use LdapExtLoginModule to retrieve roles from Active Directory and restrict access to specific operations by roles. This works great with SoapUI as the client, where I can enter my password manually, but in a real live application I won't have access to the users password. Am I going abvout this the wrong way ? /Rune -------------------------------------------------------------- To reply to this message visit the message page: http://community.jboss.org/message/532764#532764
_______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
