0 down vote favorite I read that in WSS4J 1.6 the UsernameTokenProcessor in The plaintext case has exactly the same behaviour as the digest case. The identifier is now WSPasswordCaItllback.USERNAME_TOKEN and not WSPasswordCallback.USERNAME_TOKEN_UNKNOWN, and the CallbackHandler does not do any authentication, but must set the password on the callback. I want to ask - as in this case teh rampart engine will set the password only if the username is correct can I do this: 1. I store in a database the hashed value of "bob" username and the salt In my PWCBHandler.java class •I get the stored password and hash •I hash pwcb.getIdentifier() with the same hash function •check if this hashed username is equal to the stored username if so - I set the password to bobPW Bu there is one problem - in the following soap request from jaavscript everyone with a simple view source can view the plain text username and password can I cahnge that what would you reccomend me "<?xml version=\"1.0\" encoding=\"utf-8\"?>" + "<soapenv:Envelope " + "xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"; " + "xmlns:nlo=\"http://nlo\";>"+ "<soapenv:Header>"+ '<wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"; soapenv:mustUnderstand="1">'+ '<wsse:UsernameToken xmlns:wsu="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="123">'+ '<wsse:Username>bob</wsse:Username>'+ '<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>bobPW</wsse:Password>'+ '</wsse:UsernameToken>'+ '</wsse:Security>'+ "</soapenv:Header>"+ "<soapenv:Body>" + "<nlo:getdataForChecking>" + '<nlo:data>'+tranXml+'</nlo:data>' + ' </nlo:getdataForChecking>'+ '</soapenv:Body>' + '</soapenv:Envelope>';
