[jbossws-issues] [JBoss JIRA] (JBWS-3386) Usernametoken support requires optional elements

Matt Wringe (JIRA) jira-events at lists.jboss.org
Mon Jan 30 09:36:48 EST 2012 

    [ https://issues.jboss.org/browse/JBWS-3386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12662737#comment-12662737 ] 

Matt Wringe commented on JBWS-3386:
-----------------------------------

hmm, yeah, looking at this again it appears you are right that the username is mandatory but not the password. I must have misread the spec when filling out the original jira (and the interoperability issue we were seeing was with an empty password but with a username specified).
                
> Usernametoken support requires optional elements
> ------------------------------------------------
>
>                 Key: JBWS-3386
>                 URL: https://issues.jboss.org/browse/JBWS-3386
>             Project: JBoss Web Services
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: jbossws-native
>            Reporter: Matt Wringe
>            Assignee: Alessio Soldano
>             Fix For: jbossws-native-4.0.1
>
>
> Usernametoken support is currently broken as it requires a username and password to be present in the wss security header. According to the WSS specifications (both 1.0 and 1.1*) these are optional elements in wsse:UsernameToken. If either one of these elements are missing, then JBossWS incorrectly throws a WSSecurityException.
> See http://anonsvn.jboss.org/repos/jbossws/stack/native/trunk/modules/core/src/main/java/org/jboss/ws/extensions/security/element/UsernameToken.java lines 78 and 84 for where it should not be throwing this error.
> *
> 1.1 spec http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-UsernameTokenProfile.pdf
> 1.0 spec http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbossws-issues mailing list