Note that the "usage" flag of the org.apache.ws.security.WSPasswordCallback instance passed into your callback handler implementation is set to WSPasswordCallback#USERNAME_TOKEN in the password digest case (since we need to supply the password to compute the digest) and in the plain text case it is set to WSPasswordCallback#USERNAME_TOKEN_UNKNOWN and the password received is *available* in the org.apache.ws.security.WSPasswordCallback instance to carry out authentication at the callback handler. Therefore you can do your validation here at you implementation of the callback handler.
Thanks, Ruchith On 7/25/07, Kevin TierOne <[EMAIL PROTECTED]> wrote: > In the axis2 client, it looks like it is possible to configure password > authentication with clear text passwords or a password digest. Like this: > > > > <passwordType>PasswordText</passwordType> or > > > <passwordType>PasswordDigest</passwordType> > > > On the Axis2 server, my inflow security is similar to rampart's sample02: > <parameter name="InflowSecurity"> > <action> > <items>UsernameToken Timestamp</items> > > <passwordCallbackClass>myClass</passwordCallbackClass> > </action> > </parameter> > > > Is it possible to configure the server to require a Password Digest? It > would be nice if I can configure the server to fail authentication if the > password sent in clear text. > > Thanks, > Kevin > -- www.ruchith.org www.wso2.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]