[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wss4j-dev
Subject:    UsernameTokenProcessor and plain text UsernameTokens
From:       "Frode Ruud Laukus" <laukus () gmail ! com>
Date:       2008-11-14 12:05:12
Message-ID: 40f1495a0811140405g5163c8d2vb07c334ff42f22ab () mail ! gmail ! com
[Download RAW message or body]

Hello,

I have a question regarding UsernameTokenProcessor and plain text
UsernameTokens in WSS4J.

This is lines 139-146 from latest version of
org.apache.ws.security.processor.UsernameTokenProcessor.java:

            if (cb == null) {
                throw new
WSSecurityException(WSSecurityException.FAILURE, "noCallback");
            } else if (!WSConstants.PASSWORD_TEXT.equals(pwType) &&
!handleCustomPasswordTypes) {
                if (log.isDebugEnabled()) {
                    log.debug("Authentication failed as
handleCustomUsernameTokenTypes is false");
                }
                throw new
WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
            }


These are two of the constant fields in the WSConstants class and their values:

WSConstants.PASSWORD_TEXT =
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"
WSConstants.PW_TEXT = "PasswordText"


Right now the UsernameTokenProcessor only evaluates a plain text
UsernameToken when the type declaration in the UsernameToken is the
same as the long version WSConstants.PASSWORD_TEXT.

Is this a conscious choice? If so, why?
Or should the else if statement rather be something like this?

 else if ((!WSConstants.PASSWORD_TEXT.equals(pwType) ||
!WSConstants.PW_TEXT.equals(pwType)) && !handleCustomPasswordTypes) {


Thanks!

Best regards
Frode Laukus

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]