Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-581

expose ability to set Wss4j option ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES via Wss4jSecurityInterceptor

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.8
    • Fix Version/s: 1.5.9
    • Component/s: Security
    • Labels:
      None

      Description

      Wss4j 1.5.8 includes a new WSHandlerConstant named ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES.
      By default, the value for this option is false.

      When migrating my web services application from spring-ws 1.5.7 to 1.5.8 (which includes wss4j 1.5.8), the WS-Security header sent by Microsoft clients do not validate.
      Specifically, when execution reaches line 173 of org.apache.ws.security.message.token.UsernameToken, the field allowNamespaceQualifiedPasswordTypes is false, and as a result the "WSSecurityException(WSSecurityException.INVALID_SECURITY_TOKEN,"badTokenType01",new Object[]

      {el}

      " is thrown.

      wss4j 1.5.7 for reference looks pretty different within the same UsernameToken constructor; it simply sets passwordType to whatever "elementPassword.getAttribute(WSConstants.PASSWORD_TYPE_ATTR)" returns.

      It appears ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES was developed in response to the format of the Microsoft clients.

      I'm wondering if we can expose a way in Wss4jSecurityInterceptor to set toggle this option.

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            tareq Tareq Abedrabbo
            Reporter:
            nblair Nicholas Blair
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: