Thank you for yur answer but as my .net project is more serious I don't have time to read and ovveride so I want to asko just tat - I have post this as another question and I hope I will not bother you with my questions any more 0 down vote favorite I want to ask - as in this case teh rampart engine will set the password only if the username is correct can I do this: 1. I store in a database the hashed value of "bob" username and the salt In my PWCBHandler.java class •I get the stored password and hash •I hash pwcb.getIdentifier() with the same hash function •check if this hashed username is equal to the stored username if so - I set the password to bobPW Bu there is one problem - in the following soap request from jaavscript everyone with a simple view source can view the plain text username and password can I cahnge that what would you reccomend me "<?xml version=\"1.0\" encoding=\"utf-8\"?>" + "<soapenv:Envelope " + "xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"; " + "xmlns:nlo=\"http://nlo\";>"+ "<soapenv:Header>"+ '<wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"; soapenv:mustUnderstand="1">'+ '<wsse:UsernameToken xmlns:wsu="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="123">'+ '<wsse:Username>bob</wsse:Username>'+ '<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>bobPW</wsse:Password>'+ '</wsse:UsernameToken>'+ '</wsse:Security>'+ "</soapenv:Header>"+ "<soapenv:Body>" + "<nlo:getdataForChecking>" + '<nlo:data>'+tranXml+'</nlo:data>' + ' </nlo:getdataForChecking>'+ '</soapenv:Body>' + '</soapenv:Envelope>';
________________________________ From: robert lazarski <robertlazar...@gmail.com> To: java-user@axis.apache.org; Tania Marinova <taniamm2...@yahoo.com> Sent: Saturday, May 11, 2013 9:06 PM Subject: Re: why WSPasswordCallback.getPassword is null when I try my soap request On Fri, May 10, 2013 at 4:26 AM, Tania Marinova <taniamm2...@yahoo.com> wrote: > Hi thank you! > > So the callback number is 0 (sorry for forgetting > > the usage is really 'Username_Token'; > From what I gather, the WSPasswordCallback went thru major changes recently and WSPasswordCallback.USERNAME_TOKEN_UNKNOWN is no longer an option. You probably are running WSS4J 1.6 , please confirm the jar version. http://coheigea.blogspot.com.br/2011/02/usernametoken-processing-changes-in.html http://coheigea.blogspot.com.br/2011/04/wss4j-16-introducing-validators.html For your purposes it seems you need to override a method, UsernameTokenValidator.verifyPlaintextPassword() , as explained here : "So what if you want to validate the plaintext password against a directory store, rather than have the CallbackHandler set the password? Instead of implementing this behaviour in your CallbackHandler implementation, you can simply @Override the verifyPlaintextPassword(UsernameToken usernameToken) method in the validator instead. " I'd look at the source to get started, make sure it matches your jar version. http://svn.apache.org/repos/asf/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java -R --------------------------------------------------------------------- To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org For additional commands, e-mail: java-user-h...@axis.apache.org
