[jira] [Resolved] (CXF-7255) Allow empty ("") passwords when calling a service

Mon, 20 Feb 2017 09:54:12 -0800 

     [ 
https://issues.apache.org/jira/browse/CXF-7255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved CXF-7255.
--------------------------------------
    Resolution: Fixed

> Allow empty ("") passwords when calling a service
> -------------------------------------------------
>
>                 Key: CXF-7255
>                 URL: https://issues.apache.org/jira/browse/CXF-7255
>             Project: CXF
>          Issue Type: Improvement
>    Affects Versions: 3.1.10
>            Reporter: yodasad
>            Assignee: Colm O hEigeartaigh
>             Fix For: 3.1.11
>
>
> If you want to use an empty password when calling a service, you get the 
> following exception
> {noformat}
> org.apache.cxf.interceptor.Fault: No callback handler and no password 
> available
>       at 
> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:172)
>       at 
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessageInternal(PolicyBasedWSS4JOutInterceptor.java:185)
>       at 
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:109)
>       at 
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:96)
>       at 
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
>       at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514)
>       at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423)
>       at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324)
>       at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277)
>       at 
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:861)
>       at 
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:61)
>       at 
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:55)
>       at 
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:51)
>       at 
> org.apache.cxf.ws.security.trust.STSTokenRetriever.getTokenFromSTS(STSTokenRetriever.java:427)
>       at 
> org.apache.cxf.ws.security.trust.STSTokenRetriever.issueToken(STSTokenRetriever.java:164)
>       at 
> org.apache.cxf.ws.security.trust.STSTokenRetriever.getToken(STSTokenRetriever.java:58)
>       at 
> org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:133)
> {noformat}
> unless there is a password type NoPassword explicitly set in a policy 
> assertion:
> {code:xml}
> <sp:UsernameToken 
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
>     <wsp:Policy>
>         <sp:NoPassword /> 
>         <sp:WssUsernameToken10/>
>     </wsp:Policy>
> </sp:UsernameToken>
> {code}
> But if there is no <NoPassword> assertion it doesn't mean that we cannot use 
> empty password (that is empty strings), does it?



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to