Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.1.10
-
None
-
None
-
Unknown
Description
If you want to use an empty password when calling a service, you get the following exception
org.apache.cxf.interceptor.Fault: No callback handler and no password available at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:172) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessageInternal(PolicyBasedWSS4JOutInterceptor.java:185) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:109) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:96) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277) at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:861) at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:61) at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:55) at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:51) at org.apache.cxf.ws.security.trust.STSTokenRetriever.getTokenFromSTS(STSTokenRetriever.java:427) at org.apache.cxf.ws.security.trust.STSTokenRetriever.issueToken(STSTokenRetriever.java:164) at org.apache.cxf.ws.security.trust.STSTokenRetriever.getToken(STSTokenRetriever.java:58) at org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:133)
unless there is a password type NoPassword explicitly set in a policy assertion:
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:NoPassword /> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken>
But if there is no <NoPassword> assertion it doesn't mean that we cannot use empty password (that is empty strings), does it?