You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Frode Ruud Laukus <la...@gmail.com> on 2008/11/14 13:05:12 UTC
UsernameTokenProcessor and plain text UsernameTokens
Hello,
I have a question regarding UsernameTokenProcessor and plain text
UsernameTokens in WSS4J.
This is lines 139-146 from latest version of
org.apache.ws.security.processor.UsernameTokenProcessor.java:
if (cb == null) {
throw new
WSSecurityException(WSSecurityException.FAILURE, "noCallback");
} else if (!WSConstants.PASSWORD_TEXT.equals(pwType) &&
!handleCustomPasswordTypes) {
if (log.isDebugEnabled()) {
log.debug("Authentication failed as
handleCustomUsernameTokenTypes is false");
}
throw new
WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
These are two of the constant fields in the WSConstants class and their values:
WSConstants.PASSWORD_TEXT =
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"
WSConstants.PW_TEXT = "PasswordText"
Right now the UsernameTokenProcessor only evaluates a plain text
UsernameToken when the type declaration in the UsernameToken is the
same as the long version WSConstants.PASSWORD_TEXT.
Is this a conscious choice? If so, why?
Or should the else if statement rather be something like this?
else if ((!WSConstants.PASSWORD_TEXT.equals(pwType) ||
!WSConstants.PW_TEXT.equals(pwType)) && !handleCustomPasswordTypes) {
Thanks!
Best regards
Frode Laukus
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: UsernameTokenProcessor and plain text UsernameTokens
Posted by Colm O hEigeartaigh <co...@progress.com>.
Hi Frode,
> Is this a conscious choice? If so, why?
The Username Token Profile 1.1 states in relation to the password type:
"This optional URI attribute specifies the type of password being
provided. The table below identifies the pre-defined types (note that
the URI fragments are relative to the URI for this specification)."
My reading of this is that the URI fragments are given for convenience,
but that the full URI containing the Username Token namespace is
required in practice. I'm open to correction on this though. Any
opinions on this?
Btw I spotted another bug when I was looking at the code + spec:
https://issues.apache.org/jira/browse/WSS-152
Colm.
-----Original Message-----
From: Frode Ruud Laukus [mailto:laukus@gmail.com]
Sent: 14 November 2008 12:05
To: wss4j-dev@ws.apache.org
Subject: UsernameTokenProcessor and plain text UsernameTokens
Hello,
I have a question regarding UsernameTokenProcessor and plain text
UsernameTokens in WSS4J.
This is lines 139-146 from latest version of
org.apache.ws.security.processor.UsernameTokenProcessor.java:
if (cb == null) {
throw new
WSSecurityException(WSSecurityException.FAILURE, "noCallback");
} else if (!WSConstants.PASSWORD_TEXT.equals(pwType) &&
!handleCustomPasswordTypes) {
if (log.isDebugEnabled()) {
log.debug("Authentication failed as
handleCustomUsernameTokenTypes is false");
}
throw new
WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
These are two of the constant fields in the WSConstants class and their
values:
WSConstants.PASSWORD_TEXT =
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-
profile-1.0#PasswordText"
WSConstants.PW_TEXT = "PasswordText"
Right now the UsernameTokenProcessor only evaluates a plain text
UsernameToken when the type declaration in the UsernameToken is the
same as the long version WSConstants.PASSWORD_TEXT.
Is this a conscious choice? If so, why?
Or should the else if statement rather be something like this?
else if ((!WSConstants.PASSWORD_TEXT.equals(pwType) ||
!WSConstants.PW_TEXT.equals(pwType)) && !handleCustomPasswordTypes) {
Thanks!
Best regards
Frode Laukus
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org