Hi, Microsoft offer a third way to send a password in a SOAP request "SENDNONE" that actually don't send the password at all... This is a valid choice if you are also signing the request.
The idea behind this scenrio is: if I'm signing the request with a key generated using the password and other data on the client, I don't need to to send the password with the message because the server has the shared secret and so can control the signature using it... if the signature is valid, the password is valid too. It would be very simple to implement this in wss4j beacuse, actually, the only step required at the client side is to remove the password tag from the request... on the server side instead we would have to skip the password check relyng beacause the signature verification would tell us also if the password used is the right one. bye --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
