[ https://issues.apache.org/jira/browse/KARAF-4520?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Freeman Fang resolved KARAF-4520. --------------------------------- Resolution: Fixed Fix Version/s: 4.0.6 4.1.0 need some last change in CXF, so use SNAPSHOT version of CXF, both CXF and WSS4J dependency are optional and this module are not in the default KARAF JAAS realm, only if customer need this module they can activate it commit fix http://git-wip-us.apache.org/repos/asf/karaf/commit/a2bb5736 for karaf-4.0.x branch http://git-wip-us.apache.org/repos/asf/karaf/commit/a833dc15 for master > Add DigestPasswordLoginModule so PasswordDigest can work with Karaf JAAS > realm > ------------------------------------------------------------------------------- > > Key: KARAF-4520 > URL: https://issues.apache.org/jira/browse/KARAF-4520 > Project: Karaf > Issue Type: Improvement > Reporter: Freeman Fang > Assignee: Freeman Fang > Fix For: 4.1.0, 4.0.6 > > > So far the assumption with JAAS login modules is that the password is to be > compared "as is". However per the ws-security spec, the PasswordDigest for > UsernameToken is "the concatenation of the nonce plus the creation time plus > the password. The nonce is 16 bytes long and is passed along as a base64 > encoded value. The way this works is that the client creates the password > hash using all of this information plus the password". So the PasswordDigest > would change per each invocation, so we can't simply store the passwords in a > digest form in the properties file. > The way to make it work, I think we need a DigestPasswordLoginModule which > use a customized checkPassword method where can compare the stored password > and the digest password from PasswordCallback (we may need take a close look > how this part implemented in WSS4J for digest password comparing) -- This message was sent by Atlassian JIRA (v6.3.4#6332)