Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7255

Allow empty ("") passwords when calling a service

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.1.10
    • 3.1.11
    • None
    • None
    • Unknown

    Description

      If you want to use an empty password when calling a service, you get the following exception

      org.apache.cxf.interceptor.Fault: No callback handler and no password available
      	at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:172)
      	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessageInternal(PolicyBasedWSS4JOutInterceptor.java:185)
      	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:109)
      	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:96)
      	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
      	at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514)
      	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423)
      	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324)
      	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277)
      	at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:861)
      	at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:61)
      	at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:55)
      	at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:51)
      	at org.apache.cxf.ws.security.trust.STSTokenRetriever.getTokenFromSTS(STSTokenRetriever.java:427)
      	at org.apache.cxf.ws.security.trust.STSTokenRetriever.issueToken(STSTokenRetriever.java:164)
      	at org.apache.cxf.ws.security.trust.STSTokenRetriever.getToken(STSTokenRetriever.java:58)
      	at org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:133)
      

      unless there is a password type NoPassword explicitly set in a policy assertion:

      <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
          <wsp:Policy>
              <sp:NoPassword /> 
              <sp:WssUsernameToken10/>
          </wsp:Policy>
      </sp:UsernameToken>
      

      But if there is no <NoPassword> assertion it doesn't mean that we cannot use empty password (that is empty strings), does it?

      Attachments

        Activity

          People

            coheigea Colm O hEigeartaigh
            yodasad yodasad
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: