Hi Lee, IMHO you have to stick to plain text password. And to make it effective you will have to use a secure transport (HTTPS) or encrypt the UsernameToken header.
WSS4J does not carryout any authentication in the case of the plain text password in a UsernameToken. It allows you you to authenticate the user using the mechanisms available as you described. This can be done by a handler after the WSDoAllReceiver or at the service. Thanks, Ruchith On 7/10/06, Lee Breisacher <[EMAIL PROTECTED]> wrote:
I have a system configuration that doesn't seem to fit into the wss4j password-verification mechanism. I'm on the server side and I do not have direct access to passwords, so I cannot write a password CallbackHandler that fills in the password for a given user id. Rather I have programmatic access to a name/password-verification system -- I pass in a name/password pair and it answers "valid" or "not valid" (I'm oversimplifying, but that's the basic idea). I've managed to make it work when I use PasswordText (plain text passwords) because in that case the WSPasswordCallback object includes the plain text password. But in the case where the password is digested, the WSPasswordCallback object does not include the password (digested or otherwise). So, does anyone have a suggestion for how to best utilize wss4j in this situation? Thanks, Lee --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- www.ruchith.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
