1 Reply Latest reply on Oct 9, 2007 9:58 AM by jason.greene

BASIC auth and WS-Security

thomas.diesler Oct 9, 2007 5:00 AM

It seems that we use the standard jaxrpc/jaxws properties as WSSE username token

 if (opConfig.getUsername() != null)
 {
 Object user = ctx.get(Stub.USERNAME_PROPERTY);
 Object pass = ctx.get(Stub.PASSWORD_PROPERTY);

 if (user == null && pass == null)
 {
 user = ctx.get(BindingProvider.USERNAME_PROPERTY);
 pass = ctx.get(BindingProvider.PASSWORD_PROPERTY);
 }

 if (user != null && pass != null)
 {
 operations.add(new OperationDescription<EncodingOperation>(SendUsernameOperation.class, null, user.toString(), pass.toString(), null));
 ctx.put(StubExt.PROPERTY_AUTH_TYPE, StubExt.PROPERTY_AUTH_TYPE_WSSE);
 }
 }

The side effect is that the wsse username token will always be sent via BASIC auth.

Is this by design? I thought the wsse username token is independent of transport security.

1. Re: BASIC auth and WS-Security

jason.greene Oct 9, 2007 9:58 AM (in response to thomas.diesler)

Thats a bug then, it should not be sent. IIRC the way I had originally written it, the SOAP Call implementation dropped any auth type it did not understand, which is why i introduced AUTH_TYPE_WSSE.
Actions