Hi Pawel, please see the documentation for the handleUsernameToken method:
http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/processor/User nameTokenProcessor.html#handleUsernameToken(org.w3c.dom.Element,%20javax .security.auth.callback.CallbackHandler) namely "If the password is of type password text or any other yet unknown password type the delegate the password validation to the callback class." Thanks, Colm. -----Original Message----- From: Pawel Janusz [mailto:[EMAIL PROTECTED] Sent: 15 January 2008 22:34 To: [email protected] Subject: Security Problem Hello, I met a problem with security. I want to use it in my WS. Here is my endpoint coinfiguration: <jaxws:endpoint id="SD_Users" implementor="SD.services.Users" address="/SD_Users"> <jaxws:inInterceptors> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> <property name="properties"> <map> <entry key="action" value="UsernameToken"/> <entry key="passwordCallbackClass" value="SD.util.Secure"/> <entry key="passwordType" value="PasswordText"/> </map> </property> </bean> </jaxws:inInterceptors> </jaxws:endpoint> and this is my callback: public class Secure implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { WSPasswordCallback pc = (WSPasswordCallback) callbacks[0]; if (pc.getIdentifer().equals("joe") ) { // set the password on the callback. This will be compared to the // password which was sent from the client. pc.setPassword("password"); } } } The problem is method from WS is invoked even if i pass user:'aaa' without password. What I'm doing wrong? ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
