On Thu February 4 2010 12:31:36 pm huidong wrote: > Dan, > > you are right. there is a setting in the WSSConfig obj to allow accepting > out of spec password. however, WSS4JInInterceptor does not set WSSConfig > before this call: > > wsResult = getSecurityEngine().processSecurityHeader(...) > > therefore, the securityEngine simply get the default WSSConfig, the setting > does not take effect. i think the correct way should be: > > getSecurityEngine().setWssConfig(reqData.getWssConfig()); > wsResult = getSecurityEngine().processSecurityHeader(...) > > am i right?
Well, the code on trunk is a bit different now in that the WSConfig object that is used can be passed in as a property. Thus, with that, it's much easier. One option for you COULD be to do something like: WSSConfig.getDefaultWSConfig().setAllowNamespaceQualifiedPasswordTypes(true); in some user code or something at startup. That should set the default config object to allow it which would then be used for processsing. Dan > > dkulp wrote: > > According to spec, the "Username" and "Password" child elements of > > "UsernameToken" are NOT supposed to be qualified. The message you put > > here > > has them qualified. > > > > I think there is a setting in the WSConfig object to allow accepting the > > out > > of spec name/passwords, I'm just not sure how that would be used with the > > WSS4JInInterceptor. I added some code last week to allow configuring in > > a > > specific WSConfig object relatively easily, but that's not available in a > > release yet. > > > > Dan > -- Daniel Kulp [email protected] http://www.dankulp.com/blog
