Hi Jason, According to CallbackHandler javadoc( > http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html#CallbackHandler), > the CallBackHandler should collect password information from external > source(LDAP, database) and set it to Callback. However, in this example( > http://wso2.org/library/3190), the PWCBHandler decides whether the > password is correct or not directly, which should be performed by > LoginModule.
The thing is in WSS4J, we don't use JAAS for authentication, thus there is no LoginModule involved. Rampart uses WSS4J processors to process security header, there is a processor called UsernameTokenProcessor which processes the username tokens in the security header. AFAIK this is a design decision made by WSS4J. thanks, nandana
