Hi all,
I found 2 bugs in the method UsernameToken.serialize(XMLStreamWriter
writer).
First one:
If the WssUsernameToken10 or WssUsernameToken11 assertion is present, the
policy element inside the UsernameToken assertion gets the
WS-SecurityPolicy 1.2 namespace and not the WS-Policy namespace.
Therefore the following code must be changed (see comments):
if (isUseUTProfile10() || isUseUTProfile11()) {
String pPrefix = writer.getPrefix(SPConstants.POLICY.getNamespaceURI());
if (pPrefix == null) {
pPrefix = SPConstants.POLICY.getPrefix(); // --> insert
writer.setPrefix(SPConstants.POLICY.getPrefix(),
SPConstants.POLICY.getNamespaceURI());
}
// <wsp:Policy>
writer.writeStartElement(pPrefix,
SPConstants.POLICY.getLocalPart(), SPConstants.POLICY.getNamespaceURI()); //
--> use pPrefix instead of prefix as first parameter
Second one:
The elements HashPassword and NoPassword are put inside the
WssUsernameToken10 or WssUsernameToken11 elements and not inside the Policy
element of the UsernameToken. Therefore they will not be loaded again by the
UsernameTokenBuilder after serialization. It is also inconsistent to the
WS-SecurityPolicy 1.2 specification. Therefore, the call
writer.writerEndElement() in line 163 must be moved to line 140.
Regards,
hg
