I have a few questions about making SOAP requests with UsernameToken and digesting the password...
1) I'm noticing oddness with UsernameToken.PASSWORD_TYPE for plaintext settings. When I send a plaintext password (which I wouldn't do in production but was curious about during testing), the server-side callback is never called and when I use PASSWORD_TEXT, it appears to be digesting the password anyways. Here is the password element for different WSConstant options... PW_TEXT - plaintext as expected however the server-side callback is never invoked <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>foobar</wsse:Password> PASSWORD_TEXT - digested (?) and the server-side callback is invoked as expected <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>qr2hT5xdCCV37glCuJM8MZEJhFY=</wsse:Password> PW_DIGEST - digested & server-side callback is invoked <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>7AGZUKoGAOGxOfqK+02GkpC61wg=</wsse:Password> PASSWORD_DIGEST - digested & server-side callback is invoked <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>X2JR4BCOsqK5L4k7qXEQs3WWfzg=</wsse:Password> 2) On the server side, I want to compare the UsernameToken against values stored in a database. So I can use getIdentifier() to lookup the password and call setPassword() with what I pull out of the database. However, we our passwords are already hashed before they are stored in the database. How can I have WSS4J compare the passwords in this situation? Or, if there is no built-in way - what classes do I need to tinker with to allow this to work? thx andy
