You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fx-dev@ws.apache.org by Ruchith Fernando <ru...@gmail.com> on 2005/05/03 11:26:14 UTC

UsernameToken authentication when a plain text password is used

Hi,

I noticed that WSSecurityEngine doesn't authenticate the UsernameToken
when passwordType="PasswordText".

---------------------------------------------------------------------------------------------------------------------------
public WSUsernameTokenPrincipal handleUsernameToken(Element token,
CallbackHandler cb) throws WSSecurityException {
        .....
       .....
        if (ut.isHashed()) {
             //Authenticates the UT
        }

        WSUsernameTokenPrincipal principal = new
WSUsernameTokenPrincipal(user, ut.isHashed());
        principal.setNonce(nonce);
        principal.setPassword(password);
        principal.setCreatedTime(createdTime);

        return principal;
    }

---------------------------------------------------------------------------------------------------------------------------

Is the above behaviour correct? If it is, in a situation where there's
only a UsernameToken (passwordType="PasswordText") is sent in the 
security header, why should one specify the callback handler at the
service deployment?

It's clear that the service impl can authenticate the UT as well,
using the WSSecurityEngineResult vector from the msgContext, but why
not authenticate at the Engine in the above instance?

OR have I missed something obvious :-) ?

Thanks in advance,
Ruchith Fernando