Wss4j 1.5.8 includes a new WSHandlerConstant named ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES.
By default, the value for this option is false.
When migrating my web services application from spring-ws 1.5.7 to 1.5.8 (which includes wss4j 1.5.8), the WS-Security header sent by Microsoft clients do not validate.
Specifically, when execution reaches line 173 of org.apache.ws.security.message.token.UsernameToken, the field allowNamespaceQualifiedPasswordTypes is false, and as a result the "WSSecurityException(WSSecurityException.INVALID_SECURITY_TOKEN,"badTokenType01",new Object
" is thrown.
wss4j 1.5.7 for reference looks pretty different within the same UsernameToken constructor; it simply sets passwordType to whatever "elementPassword.getAttribute(WSConstants.PASSWORD_TYPE_ATTR)" returns.
It appears ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES was developed in response to the format of the Microsoft clients.
I'm wondering if we can expose a way in Wss4jSecurityInterceptor to set toggle this option.
|Field||Original Value||New Value|
|Fix Version/s||1.5.9 [ 11296 ]|
|Assignee||Arjen Poutsma [ arjen.poutsma ]||Tareq Abedrabbo [ tareq ]|
|Resolution||Fixed [ 1 ]|
|Status||Open [ 1 ]||Resolved [ 5 ]|
|Status||Resolved [ 5 ]||Closed [ 6 ]|
|Transition||Time In Source Status||Execution Times||Last Executer||Last Execution Date|
|47d 12h 53m||1||Tareq Abedrabbo||14/Dec/09 8:40 PM|
|871d 10h 23m||1||Arjen Poutsma||04/May/12 7:03 AM|