Hi Glen On Wed, Apr 7, 2010 at 6:25 PM, Glen Mazza <glen.ma...@gmail.com> wrote:
> > > Glen, > > > On Wed, Apr 7, 2010 at 5:12 PM, Glen Mazza <glen.ma...@gmail.com> wrote: > > > > > Sergey, be careful with your first reason--that of using the > > CallbackHandlers > > to *return* passwords, that's an old erroneous design apparently since > > fixed > > in WSS4J (https://issues.apache.org/jira/browse/WSS-183) that should not > > necessarily be used as a reason for doing what you're doing--that process > > should be taken out of CXF instead when it upgrades to the new WSS4J. > > > > >I'm sorry but this does [not] sounds convincing. You're kind of indicating > that > >what is proposed is not good enough ? But you have not said anything about > the authorization. > >WSS4J is restricting with respects to digests at thje moment but as I > said, > >we're after the authorization here. > > All I'm saying is that if you're using the argument of "CXF requires > passwords to be supplied in the CallbackHandlers!" as a reason for doing > what you're doing, that's not valid anymore because that problem is fixed > with the new WSS4J. I guess I was not specific enough, hope my follow-up response made things clearer. > I'm sure however there are plenty of other good reasons > for doing what you're doing, it's just that that particular one should soon > no longer be relevant. I was also mentioning this to you in case you were > unaware of the problem and were thinking of a solution which involved the > Callbackhandler continuing to serve its erroneous dual role > (https://issues.apache.org/jira/browse/WSS-183, > https://issues.apache.org/jira/browse/CXF-2150) of validating credentials > for password text and providing credentials for password digest for some > higher entity to validate. > I'm aware of this problem but it is an orthogonal one. Likewise not sure what you mean by a dual role. In this case a callback handler only requires a subclass to do the authentication. > > > > > > Actually, I think Metro does what you want--allows the option for > > container-managed authentication *without* the callbackhandler > > ( > http://www.jroller.com/gmazza/entry/metro_usernametoken_profile#MetroUT3 > > ). > > If you can repeat the same with CXF, great! > > > > > I really don't follow why you refer to Metro, what is to do with the use > > of > > CXF ? > > It was meant as a sanity check that whatever you are proposing is also > being > done by another web service stack. But I misunderstood what you were > proposing, hence what I was saying above is not relevant. You're talking > about authorization, not authentication. Never min I'm talking about both authentication and authorization. I believe the proposed solution makes it more easier to authorize, as I tried to clarify in the other email. cheers, Sergey > d. > > Glen > > -- > View this message in context: > http://old.nabble.com/Using-WS-Security-UsernameToken-to-authenticate-users-and-populate--SecurityContexts-tp28165583p28168187.html > Sent from the cxf-dev mailing list archive at Nabble.com. > >
