[jboss-user] [JBoss Web Services] New message: "UserNameToken - Password not optional"

Rune Molin do-not-reply at jboss.com
Thu Mar 18 07:15:49 EDT 2010

User development,

A new message was posted in the thread "UserNameToken - Password not optional":


Author  : Rune Molin
Profile : http://community.jboss.org/people/rmolin

Hello everyone
I'm working on securing webservices using WS-Security Username Token Profile, but it occurs to me that JBossWS doesn't quite implement this standard faithfully. The way I read http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf it says that "Within <wsse:UsernameToken> element, a <wsse:Password> element *may* be specified." 
But from reading the implementation of org.jboss.ws.extensions.security.element.UsernameToken it very much looks like the password element actually is required. Confirm ?
I'm using JBoss EAP 4.3.0.GA CP07, but the code is virtually the same in the JBossWS Stack Native trunk.
My objective is to propagate the end user ID to the service, use LdapExtLoginModule to retrieve roles from Active Directory and restrict access to specific operations by roles. This works great with SoapUI as the client, where I can enter my password manually, but in a real live application I won't have access to the users password. 
Am I going abvout this the wrong way ?


To reply to this message visit the message page: http://community.jboss.org/message/532764#532764

More information about the jboss-user mailing list