[ http://issues.apache.org/jira/browse/WSS-25?page=comments#action_12357892 ]
Kevin Fung commented on WSS-25: ------------------------------- I used both password text and digest. Digest was checked, but text was not. I see your point, but I think the convension of JAAS CallbackHandler is to provide the password to the PasswordCallback. The application (WSSecurityEngine in this case) performs the validation, similar to the way that password digest is handled. Regards, Kevin > UsernameToken password is not checked > ------------------------------------- > > Key: WSS-25 > URL: http://issues.apache.org/jira/browse/WSS-25 > Project: WSS4J > Type: Bug > Environment: Windows 2000, JDK 1.5.0_05-b05 > Reporter: Kevin Fung > Assignee: Davanum Srinivas > > In the handleUsernameToken method in WSSecurityEngine class, the password > returned by the password handler is not compared against the password/digest > from the UsernameToken. The result is that any password will be accepted. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
