In the org.apache.ws.security.WSPasswordCallback class [1] I've got two questions:
1) why are the two different usages for DECRYPT and SIGNATURE? In all the usage I've had they both do the same, that is get the password for a given alias in a keystore so that WSS4J can access the private key. I have not seen a scenario where I would want to sign with one key and decrypt with another, and where they had to have the same alias (I could just change that if it was important). So with my 5 cents I would say that the callback should know nothing about it, it should do general things like: * give me the password for this username (avoiding the discussion about password text/digest) * give me the password for this alias in a keystore * give me a key for this identifier Am I missing a point here? 2) How does the UNKNOWN ever come into play, is it not more like an exceptional state? Brgds Brian [1]http://cvs.apache.org/viewcvs.cgi/ws-fx/wss4j/src/org/apache/ws/security/ WSPasswordCallback.java?view=markup
