[RAMPART-385] Rampart does check username token password (via callback), even though "NoPassword" was specified in Security Policy - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Question
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
- Patch
Environment:
JBoss 5.1.2
Axis2 1.6.2
Rampart/Rahas 1.6.2

Description

A Policy was specified on a web service as such:

<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:NoPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>

If the request contains username token + password in security header, I would expect (hope) rampart to ignore
the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).

Anyway: rampart will go into the password callback and require us to supply the value.
Is this correct?

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

RAMPART-385.patch
10/Sep/12 03:10
15 kB
Suresh Attanayake
policy-1.2-UT.xml
24/Jan/13 20:22
2 kB
Suresh Attanayake

Activity

People

Assignee:: Unassigned

Reporter:: Simon Jongsma

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 03/Aug/12 12:13

Updated:: 30/Jan/17 18:26