Hello, I'm a bit new to WSS4J and i'm sure this question has already been asked in the past but i haven't got see any clear answer yet, so i hope you'll help me:
We'd like to secure our Web Service using WSS4J against our LDAP Directory. >From what i read about wss4j, each part (client and server side) have to implement a CallbackHandler that provide a username / password pair. Then some comparisons are performed on those tokens to see if client and server match. How can we do that with LDAP ? Let me take this example to explain : In LDAP we have user Bob with password BobPwd. This BobPwd is stored in ldap as something like {SSHA}9849840sd984a0d... So, on the server side, i can't get original password and therefore i have no way to make comparison. The only solution would be that client provides the SHA encrypted password but I find it not a very pleasant workaround and i feel i'm missing something... QUESTION 1 : Which class is responsible for comparing client and server tokens in WSS4J ? QUESTION 2 : What is the best way to secure a Web service against ldap knowing that LDAP password are SHA encoded using a salt that we can't know ? QUESTION 3 : I saw that Spring-WS provides an implementation to secure a Webservice against LDAP ( http://www.techinfopad.com/spring/101202782-using-roles-in-ldap-with-springws.html). How do they do that ? Thank you very much for your help ! Jose