Uploaded image for project: 'Rampart'
  1. Rampart
  2. RAMPART-385

Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy

    Details

    • Type: Question
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Environment:
      JBoss 5.1.2
      Axis2 1.6.2
      Rampart/Rahas 1.6.2

      Description

      A Policy was specified on a web service as such:

      <sp:SupportingTokens>
      <wsp:Policy>
      <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
      <wsp:Policy>
      <sp:NoPassword/>
      </wsp:Policy>
      </sp:UsernameToken>
      </wsp:Policy>
      </sp:SupportingTokens>

      If the request contains username token + password in security header, I would expect (hope) rampart to ignore
      the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).

      Anyway: rampart will go into the password callback and require us to supply the value.
      Is this correct?

        Attachments

        1. RAMPART-385.patch
          15 kB
          Suresh Attanayake
        2. policy-1.2-UT.xml
          2 kB
          Suresh Attanayake

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              simon.jongsma Simon Jongsma
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: