Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-581

expose ability to set Wss4j option ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES via Wss4jSecurityInterceptor


    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.8
    • Fix Version/s: 1.5.9
    • Component/s: Security
    • Labels:


      Wss4j 1.5.8 includes a new WSHandlerConstant named ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES.
      By default, the value for this option is false.

      When migrating my web services application from spring-ws 1.5.7 to 1.5.8 (which includes wss4j 1.5.8), the WS-Security header sent by Microsoft clients do not validate.
      Specifically, when execution reaches line 173 of org.apache.ws.security.message.token.UsernameToken, the field allowNamespaceQualifiedPasswordTypes is false, and as a result the "WSSecurityException(WSSecurityException.INVALID_SECURITY_TOKEN,"badTokenType01",new Object[]


      " is thrown.

      wss4j 1.5.7 for reference looks pretty different within the same UsernameToken constructor; it simply sets passwordType to whatever "elementPassword.getAttribute(WSConstants.PASSWORD_TYPE_ATTR)" returns.

      It appears ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES was developed in response to the format of the Microsoft clients.

      I'm wondering if we can expose a way in Wss4jSecurityInterceptor to set toggle this option.


        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        47d 12h 53m 1 Tareq Abedrabbo 14/Dec/09 8:40 PM
        Resolved Resolved Closed Closed
        871d 10h 23m 1 Arjen Poutsma 04/May/12 7:03 AM


          • Assignee:
            tareq Tareq Abedrabbo
            nblair Nicholas Blair
          • Votes:
            0 Vote for this issue
            0 Start watching this issue


            • Created: