Details
-
Question
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
-
JBoss 5.1.2
Axis2 1.6.2
Rampart/Rahas 1.6.2
Description
A Policy was specified on a web service as such:
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:NoPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
If the request contains username token + password in security header, I would expect (hope) rampart to ignore
the password or complain that a password is present (i'm not sure about the meaning of NoPassword in this respect).
Anyway: rampart will go into the password callback and require us to supply the value.
Is this correct?