[
https://issues.jboss.org/browse/JBWS-3386?page=com.atlassian.jira.plugin....
]
Alessio Soldano commented on JBWS-3386:
---------------------------------------
Hi Matt,
I agree on the need to remove the check on the password, as that *may* be provided but is
not mandatory. After having checked again the spec, I'm not sure about the same for
the username. Can you tell me exactly where you see the Username being considered
optional?
Thanks
Usernametoken support requires optional elements
------------------------------------------------
Key: JBWS-3386
URL:
https://issues.jboss.org/browse/JBWS-3386
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: jbossws-native
Reporter: Matt Wringe
Assignee: Alessio Soldano
Fix For: jbossws-native-4.0.1
Usernametoken support is currently broken as it requires a username and password to be
present in the wss security header. According to the WSS specifications (both 1.0 and
1.1*) these are optional elements in wsse:UsernameToken. If either one of these elements
are missing, then JBossWS incorrectly throws a WSSecurityException.
See
http://anonsvn.jboss.org/repos/jbossws/stack/native/trunk/modules/core/sr...
lines 78 and 84 for where it should not be throwing this error.
*
1.1 spec
http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-...
1.0 spec
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-pr...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see:
http://www.atlassian.com/software/jira