[ http://issues.apache.org/jira/browse/WSS-25?page=comments#action_12362944 ]
Werner Dittmann commented on WSS-25: ------------------------------------ Kevin, yes you are right with respect to JAAS and the overall callback semantic. When we introduced this specific behaviour we explicitly stated that we deviate here from the JAAS meaning. This is mainly because the handler cannot check the password in every case because password type text is often used to transport password data transparently that is passed forward to the service (we had several discussions here on the list about that). Also the WSS spec allows to introduce own password type attributes. Thus we went on and said: well, the handler calls the callback method but with a specific usage type and the actual password type data. The callback implementation may now, based on the usage type and password type, decide what to do and may perform the check on its own and throw an exception if something is wrong. Regards, Werner > UsernameToken password is not checked > ------------------------------------- > > Key: WSS-25 > URL: http://issues.apache.org/jira/browse/WSS-25 > Project: WSS4J > Type: Bug > Environment: Windows 2000, JDK 1.5.0_05-b05 > Reporter: Kevin Fung > Assignee: Davanum Srinivas > > In the handleUsernameToken method in WSSecurityEngine class, the password > returned by the password handler is not compared against the password/digest > from the UsernameToken. The result is that any password will be accepted. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
