Hello,
I'm a bit new to WSS4J and i'm sure this question has already been asked in
the past but i haven't got see any clear answer yet, so i hope you'll help
me:
We'd like to secure our Web Service using WSS4J against our LDAP Directory.
>From what i read about wss4j, each part (client and server side) have to
implement a CallbackHandler that provide a username / password pair. Then
some comparisons are performed on those tokens to see if client and server
match. How can we do that with LDAP ?
Let me take this example to explain : In LDAP we have user Bob with password
BobPwd. This BobPwd is stored in ldap as something like
{SSHA}9849840sd984a0d... So, on the server side, i can't get original
password and therefore i have no way to make comparison. The only solution
would be that client provides the SHA encrypted password but I find it not a
very pleasant workaround and i feel i'm missing something...
QUESTION 1 : Which class is responsible for comparing client and server
tokens in WSS4J ?
QUESTION 2 : What is the best way to secure a Web service against ldap
knowing that LDAP password are SHA encoded using a salt that we can't know ?
QUESTION 3 : I saw that Spring-WS provides an implementation to secure a
Webservice against LDAP (
http://www.techinfopad.com/spring/101202782-using-roles-in-ldap-with-springws.html).
How do they do that ?
Thank you very much for your help !
Jose
