I'm working on securing webservices using WS-Security Username Token Profile, but it occurs to me that JBossWS doesn't quite implement this standard faithfully. The way I read http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf it says that "Within <wsse:UsernameToken> element, a <wsse:Password> element may be specified."
But from reading the implementation of org.jboss.ws.extensions.security.element.UsernameToken it very much looks like the password element actually is required. Confirm ?
I'm using JBoss EAP 4.3.0.GA CP07, but the code is virtually the same in the JBossWS Stack Native trunk.
My objective is to propagate the end user ID to the service, use LdapExtLoginModule to retrieve roles from Active Directory and restrict access to specific operations by roles. This works great with SoapUI as the client, where I can enter my password manually, but in a real live application I won't have access to the users password.
Am I going abvout this the wrong way ?