[SWS-450] XwsSecurityInterceptor always requires a callback handler Created: 22/Nov/08  Updated: 04/May/12  Resolved: 14/Dec/08

Status: Closed
Project: Spring Web Services
Component/s: Security
Affects Version/s: 1.5.5
Fix Version/s: 1.5.6

Type: Improvement Priority: Minor
Reporter: Michel Zanini Assignee: Tareq Abedrabbo
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File SWS-450.patch    

 Description   

When using XwsSecurityInterceptor in the client side and using UsernameToken profile it's good to not require any callbackHandlers.

See:
http://forum.springframework.org/showthread.php?p=214381



 Comments   
Comment by Tareq Abedrabbo [ 09/Dec/08 ]

Removing the assert statement relegates the validation to XWSS, which results in a nasty NPE if a callback handler is required but not assigned. Unfortunately, there doesn't seem to be a better solution.

Comment by Michel Zanini [ 09/Dec/08 ]

Another option is create a boolean property to set if the interceptor will be used in the client with token profile. But I think it isn't a good solution. Maybe we have to close the issue and keep as it is.

Comment by Tareq Abedrabbo [ 09/Dec/08 ]

What I meant is that we can't do better than removing the assertion. Ideally, XWSS would validate its configuration and would throw sensible exceptions in case of error, which doesn't seem to be the case. There doesn't seem to be a simple way to interrogate XWSS about the loaded configuration either.

Comment by Arjen Poutsma [ 14/Dec/08 ]

I think it's a best practice to configure xwss in Spring config as much as possible. For instance, you can use the SimpleUsernamePasswordCallbackHandler as opposed to supplying the credentials inline.

Secondly, XWSS does not do a proper configuration check before initializing. So if we'd drop the callbackHandler check, most people will end up with nasty NPEs, which are harder to debug then assertion failures. Even though these failures are not 100% correct, as you pointed out.

Comment by Arjen Poutsma [ 04/May/12 ]

Closing old issues

Generated at Wed Dec 13 16:49:51 UTC 2017 using JIRA 6.4.14#64029-sha1:ae256fe0fbb912241490ff1cecfb323ea0905ca5.