We have a web service running in EAP 6.1. It uses ws-secirity password authentication, plain password.

The client of this service is trying to consume it from WCF framework.

They get "Invalid Token" error.

The error happens here: http://grepcode.com/file/repository.springsource.com/org.apache.ws/com.springsource.org.apache.ws.security/1.6.5/org/apache/ws/security/message/token/UsernameToken.java/#185

The reason: they send us password with namespace in the "type" attribute (WCF does that apparently, I'm not good in MS technologies), which makes wss4j kick it back.

Now - look at the constructor of that method at line 111. Apparently it does allow relaxing that restriction bu sending true as the second parameter of the constrctor.

But when CXF calls it - it sends "false": http://grepcode.com/file/repo1.maven.org/maven2/org.apache.cxf/cxf-rt-ws-security/2.6.6/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java#167

And there is no way to change that.

Is there a reason for that restriction? (Maybe someone just hates Microsoft?...)

Does it mean we are dead in the water with EAP 6.1?

Thanks!

P.S.

I'm not sure that it's right place, will appreciate any input/redirection...