I asked a question out on the WSS4J site. If suspect i real life (not examples) the PasswordCallback is supposed to lookup a password (hashed or not) for a user. Whose responsibility is it to check the password against the incoming request and throw a security exception if it fails? XFires or WSS4Js?
Probably its better to let wss4j handle validation, you have only single point with authentication process then ( and all security problem are reported in the same way ). But in case of plain password and complicatated auth process you can do small trick : check inside password callback if the action is UserToken and return password given by callback as result, so wss4j think the password is valid and pass them to result object. Then other xfire handler can validate the password.
I set the password to "WRONG PASSWORD" inside my callback, yet the code continued to plunge through. I'm sure I'm missing something.
Wrong password should cause throwed exception.
