This seems like the kind of thing that should be do-able. Can I submit a bug report/feature request to support this style of authentication? How active is wss4j development - what are the chances of this being implemented?
Thanks, Lee > -----Original Message----- > From: Ruchith Fernando [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 11, 2006 3:11 AM > To: Lee Breisacher > Cc: [email protected] > Subject: Re: alternative password verification > > Hi Lee, > > IMHO you have to stick to plain text password. And to make it > effective you will have to use a secure transport (HTTPS) or > encrypt the UsernameToken header. > > WSS4J does not carryout any authentication in the case of the > plain text password in a UsernameToken. It allows you you to > authenticate the user using the mechanisms available as you > described. This can be done by a handler after the > WSDoAllReceiver or at the service. > > Thanks, > Ruchith > > On 7/10/06, Lee Breisacher <[EMAIL PROTECTED]> wrote: > > I have a system configuration that doesn't seem to fit into > the wss4j > > password-verification mechanism. I'm on the server side > and I do not > > have direct access to passwords, so I cannot write a password > > CallbackHandler that fills in the password for a given user > id. Rather > > I have programmatic access to a name/password-verification > system -- I > > pass in a name/password pair and it answers "valid" or "not valid" > > (I'm oversimplifying, but that's the basic idea). > > > > I've managed to make it work when I use PasswordText (plain text > > passwords) because in that case the WSPasswordCallback > object includes > > the plain text password. But in the case where the password is > > digested, the WSPasswordCallback object does not include > the password > > (digested or otherwise). > > > > So, does anyone have a suggestion for how to best utilize wss4j in > > this situation? > > > > Thanks, > > > > Lee > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > -- > www.ruchith.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
