WSS4j 1.6.x deprecated the use of WSPasswordCallback.USERNAME_TOKEN_UNKNOWN (http://coheigea.blogspot.com/2011/02/usernametoken-processing-changes-in.html) which was one of the methods to validate the plain text passwords on the server side (@see Rampart Policy Sample01). Now, because of the deprecation it does not seem to be possible to validate plaintext password, especially when the server side callback handler does not have access to the plain text password to validate against the password on the incoming request. It seems like CXF has a way to plugin custom validators for WSS4J 1.6.x to support this model (http://coheigea.blogspot.com/2011/06/custom-token-validation-in-apache-cxf.html).
I would appreciate any thoughts from the community. Maybe I am missing something. Thanks Sumit
