sdiaz
commented
11 years ago The token generator api is just for testing purposes, the token must be created client side, in this case the validation is done by the firewall so when a user submit a token with an invalid password gets an unauthorized message from the api as the tokens do not match.
fdonzello
If I create a token with a good username but a wrong password I obtain a wsse token which doesn't work agains secured apis..
This happens becouse in the SecurityRestController we only check if the username is valid.
Is this correct or the should the controller deny the auth in case of wrong password?