0 It's written that Whenever Rampart Engine needs a password to create a username token, it will create a WSPasswordCallback instance setting the appropriate identifier which it extracts from the parameter of the Rampart configuration and pass it to the password callback class via the handle method. But as you see I've used policy based configuration! SO I've got a few questions to see if I have understand all all that:
1.Rampart engine extracts the appropriate username -< wsse:Username>bob'</wsee:Username> 2.After it extracts it it passes it to our PWCBHandler class via handle method. 3.Our handle method sets the appropriate password if the username is correct. 4.And the most important - as I have to consume my web service from javascript at the end I have provided my soap request. But as you see I provide both the username and the password and I can't see where is security as everyone can see my username and password. Is this right. How can I make it more secure.Can I add the paswordcallback class instead Here is my policy: <wsp:Policyxmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"wsu:Id="UTOverTransport";><wsp:ExactlyOne><wsp:All><sp:SignedSupportingTokensxmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";><wsp:Policy><sp:UsernameTokensp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/></wsp:Policy></sp:SignedSupportingTokens><ramp:RampartConfigxmlns:ramp="http://ws.apache.org/rampart/policy";><ramp:passwordCallbackClass>tan.PWCBHandler</ramp:passwordCallbackClass></ramp:RampartConfig></wsp:All></wsp:ExactlyOne></wsp:Policy> Here is my code for PassWordCallback class publicclassPWCBHandlerimplementsCallbackHandler{publicvoidhandle(Callback[]callbacks)throwsIOException,UnsupportedCallbackException{for(inti =0;i <callbacks.length;i++) {//When the server side need to authenticate the user WSPasswordCallbackpwcb =(WSPasswordCallback)callbacks[i];if(pwcb.getIdentifier().equals("bob")) {pwcb.setPassword("bobPW");}} here is my soaprequerst from javascript var req= "<?xml version=\"1.0\" encoding=\"utf-8\"?>"+"<soapenv:Envelope "+"xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"; "+"xmlns:tan=\"http://tan\";>"+"<soapenv:Header>"+'<wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"; soapenv:mustUnderstand="1">'+'<wsse:UsernameToken xmlns:wsu="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="123">'+'<wsse:Username>bob</wsse:Username>'+'<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>bobPW</wsse:Password>'+'</wsse:UsernameToken>'+'</wsse:Security>'+"</soapenv:Header>"+"<soapenv:Body>"+"<tan:testws>"+'<tan:x>ECHOO</tan:x>'+' </tan:testws>'+'</soapenv:Body>'+'</soapenv:Envelope>';
