[SWS-514] SpringPlainTextPasswordValidationCallbackHandler doesn't override handleUsernameToken Created: 17/May/09  Updated: 04/May/12  Resolved: 19/May/09

Status: Closed
Project: Spring Web Services
Component/s: Security
Affects Version/s: 1.5.6
Fix Version/s: 1.5.7

Type: Bug Priority: Major
Reporter: Craig Day Assignee: Arjen Poutsma
Resolution: Invalid Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


SpringPlainTextPasswordValidationCallbackHandler overrides handleUsernameTokenUnknown() with code that looks like it should be in handleUsernameToken(),. i.e. the code that actually delegates to Spring Security's AuthenticationManager.

The result is that the class doesn't work at all, throwing an UnsupportedCallbackException for all authentication attempts. Moving the relevant code to handleUsernameToken() fixes things and all works as expected.

Comment by Tareq Abedrabbo [ 17/May/09 ]

Hi Craig,

Could you share some more details to help understanding the issue? What application context configuration are you using? A sample code would be ideal



Comment by Arjen Poutsma [ 18/May/09 ]

I think Craig was suggesting that the WSS4J SpringPlainTextPasswordValidationCallbackHandler also override the method handleUsernameToken(). At this point, it only override handleUsernameTokenUnknown. I don't know why this is, can you shine a little light on this, Tareq?

Comment by Tareq Abedrabbo [ 18/May/09 ]


SpringPlainTextPasswordValidationCallbackHandler's handleUsernameTokenUnknown is called to handle plain text username tokens solely(yes, wss4j's choice of name is a bit unfortunate here).
I suspect you're configuring your security interceptor with a SpringPlainTextPasswordValidationCallbackHandler while the username tokens you're receiving contain digest passwords, in which case you should use SpringDigestPasswordValidationCallbackHandlerTest.


Comment by Arjen Poutsma [ 19/May/09 ]

Closing as invalid for now, we can always reopen for 1.5.8

Comment by Craig Day [ 25/May/09 ]

Hi Arjen, Tareq,

Ive had a chance to have another look at this and Tareq is correct. I am using plaintext passwords, but at the time my test client must have been generating hashed/digest requests. The auth requests now end up on the very poorly named handleUsernameTokenUnknown() method - Thanks for your time.


Comment by Arjen Poutsma [ 04/May/12 ]

Closing old issues

Generated at Mon Mar 25 02:00:01 UTC 2019 using JIRA 7.9.2#79002-sha1:3bb15b68ecd99a30eb364c4c1a393359bcad6278.