passwords should (almost) always be stored in a non-reversable hash (MD5,
SHA-1, etc) - you'll certainly need to know the algorithm if you're going to
duplicate the plain-text->hash-value to compare, but it sounds like you won't
have the plaintext password (which is good from a security point of view) so
you'll want to consider a "single-sign-on" approach. i'm not 100% savy on
LDAP beyond the basic JNDI-centric view (it's a tree of HashMaps of name-value
pairs with paths) but i'm certain there are single-sign-on approaches that
fully leverage LDAP that you'll want to at least consider.
Well that is what im trying to do here....a single sign on solution. I
want to logon at the servlet and that calls a web service as the logged
on user. I thought this is possible with WSS4J though i guess i am
running into trouble here.
Thx for the help!
Michael
for my authentication i actually use digitally signed messages - the client
application specifies the user and includes the uid and a canned password as a
digest in the request, but then the whole SOAP Body + UsernameToken is signed
using the client's private key which i verify on the server. i left those
bits out of the server-config.wsdd to keep the email sizes down.
..............ron.
Ok...i guess i misunderstood your text. So i might be able to avoid
needing the plaintext pw in the service. How can i nevertheless use
encrypted passwords? What kind of passwords are you using? The problem
is that i dont know how the pw in ldap was encrypted.
Thx for your help!
Michael
