1 Reply Latest reply on Mar 18, 2010 8:17 AM by Rune Molin

    UserNameToken - Password not optional

    Rune Molin Newbie

      Hello everyone


      I'm working on securing webservices using WS-Security Username Token Profile, but it occurs to me that JBossWS doesn't quite implement this standard faithfully. The way I read http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf it says that "Within <wsse:UsernameToken> element, a <wsse:Password> element may be specified."


      But from reading the implementation of org.jboss.ws.extensions.security.element.UsernameToken it very much looks like the password element actually is required. Confirm ?


      I'm using JBoss EAP 4.3.0.GA CP07, but the code is virtually the same in the JBossWS Stack Native trunk.


      My objective is to propagate the end user ID to the service, use LdapExtLoginModule to retrieve roles from Active Directory and restrict access to specific operations by roles. This works great with SoapUI as the client, where I can enter my password manually, but in a real live application I won't have access to the users password.


      Am I going abvout this the wrong way ?