The callback handler for Passwords is called for both the Plaintext and the Digest scenarios.
However, it appears that only in the Digest scenario are the passwords checked with one another. This doesn't seem to be consistent. If the password returned for plaintext authentication doesn't match the password being sent in on the request, shouldn't a WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION); also be thrown? I believe this is happening because of the following: 1. The UsernameToken has: protected boolean hashed = true; so the default is that the CallbackHandler is called regardless of if it's Plaintext or Digest. Second, this agrees with the specification of WSHandlerConstants which state that the Default is PW_DIGEST. Yet according to this documentation (line 173 on page 9). PW_TEXT should be the default. http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf I realize that for WSS4J the desire is to have people use Digest authentication by default, but this can cause confusion with people who are new to WSS4J and sending requests in using plaintext over SSL connections. 2. The UsernameTokenProcessor only hits the callback if the usernameToken is hashed. Based on this it appears that the original intent was that the CallbackHandler would only be for Digest passwords. This would also seem to indicate that the CallbackHandler is not the place to call a login module to verify that the user is authenticated. To me, this is confusing. This can probably be fixed by changing hashed = false. and changing the WSHandlerConstant docs, which would make it more consistent with the OASIS docs. But it seems like there is an opportunity to hook into a login module here for security purposes. Thanks, Brian --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
