Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.6.3
-
None
-
Ubuntu 10.04. ServiceMix 4.
Description
We don't wish to have a Password element in the inbound SOAP request.
WSSecurityUtil.decodeAction() parses the actions that are put in the Spring xml file. We have "UsernameToken", so decodeAction sets the internal representation of the expected WS Security elements to a list with the single value: WSConstants.UT(0x01).
When a SOAP message arrives, UsernameTokenProcessor.handleToken() is called which sets the expected action to WSConstants.UT_NOPASSWORD (0x2000) because there is no password element.Thus when WSHandler.checkReceiverResultsAnyOrder() which checks that the list of expected actions and received actions are the same, it fails and the debug output is 'Security processing failed (actions mismatch)".
Yes, we could override the Processor to get around this, but we were hoping to take advantage of the recent changes which meant that we just needed to implement our own Validator.