User development,
A new message was posted in the thread "UserNameToken - Password not optional":
http://community.jboss.org/message/532764#532764
Author : Rune Molin
Profile :
http://community.jboss.org/people/rmolin
Message:
--------------------------------------------------------------
Hello everyone
I'm working on securing webservices using WS-Security Username Token Profile, but it
occurs to me that JBossWS doesn't quite implement this standard faithfully. The way I
read
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-pr... it
says that "Within <wsse:UsernameToken> element, a <wsse:Password> element
*may* be specified."
But from reading the implementation of
org.jboss.ws.extensions.security.element.UsernameToken it very much looks like the
password element actually is required. Confirm ?
I'm using JBoss EAP 4.3.0.GA CP07, but the code is virtually the same in the JBossWS
Stack Native trunk.
My objective is to propagate the end user ID to the service, use LdapExtLoginModule to
retrieve roles from Active Directory and restrict access to specific operations by roles.
This works great with SoapUI as the client, where I can enter my password manually, but in
a real live application I won't have access to the users password.
Am I going abvout this the wrong way ?
/Rune
--------------------------------------------------------------
To reply to this message visit the message page:
http://community.jboss.org/message/532764#532764