[
https://issues.apache.org/jira/browse/CXF-8137?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh updated CXF-8137:
-------------------------------------
Fix Version/s: 3.2.12
3.3.5
> Using SecurityConstants.VALIDATE_TOKEN with WSS4JInInterceptor no longer
> allows skipping validation of token
> ------------------------------------------------------------------------------------------------------------
>
> Key: CXF-8137
> URL: https://issues.apache.org/jira/browse/CXF-8137
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 3.2.10
> Reporter: Bjørn Hilstad
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 3.3.5, 3.2.12
>
>
> Have been using SecurityConstants.VALIDATE_TOKEN=false to skip validation of
> UsernameToken with CXF 3.2.x successfully for a long time but this feature
> broke in 3.2.10.
> The reason is that the method getSecurityEngine(boolean utWithCallbacks) in
> WSS4JInInterceptor returns a different SecurityEngine than before.
> Up to version 3.2.9 using SecurityConstants.VALIDATE_TOKEN=false this method
> gave a WSSecurityEngine which had a WSSConfig with a validatorMap where the
> validator for
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken";
> was a org.apache.wss4j.dom.validate.NoOpValidator.
> From 3.2.10 it gives a WSSecurityEngine that has a WSSConfig with a
> validatorMap where the validator for
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken";
> was a org.apache.wss4j.dom.validate.UsernameTokenValidator and hence the
> validation is NOT skipped anymore.
> Should this feature still work for 3.2.10 or has it been removed on purpose?
> Could probably be solved by just switching the order of the if-statements in
> getSecurityEngine(boolean utWithCallbacks).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
