Hello, Can anyone please point me the documentation on securing Axis 2 web services on WebSphere Application Server v 6.1 ?
Abhay Srivastava Reference Architecture Shared Services and Architecture | Smith Barney Technology | CitiGroup GWM | New York (212) 657 - 9358 -----Original Message----- From: Nandana Mihindukulasooriya [mailto:[EMAIL PROTECTED] Sent: Thursday, May 08, 2008 10:24 AM To: [email protected] Subject: Re: PasswordCallBackHandler in client Hi Stefan, Can someone please enlighten me why the PasswordCallBackHandler must also be > available at the > clientside? Having a password callback at the client is NOT a MUST. You can use clients options to provide more information. Please look at this tutorial [1]. > Isn't there any other possibility to set the password that will be > submitted by the client? Yes, this can be done with the options approach. > In my opinion it is a security matter to deliver the > PasswordCallBackHandler class to the customers that use a client > library. They can disassemble the class and see the logic how the > password is checked at serverside. Actually, as you may have already noticed, you don't need to hard code the passwords in the password callback. You can take them from a database, LDAP ( we do have some limitations here ) and do the authentication logic in the password callback. Another Problem, i have to make the jars available at clientside that are > needed at serverside in > the PasswordCallBackHandler. > Did i missed something to understand this? > I think you are mislead by the samples here. Usually client and the service uses two different password callbacks. So the client only need to have it's password callback in it's classpath. For the service, it is the same. It only needs have it's password callback class in it's class path. thanks, nandana [1] - http://wso2.org/library/3190#Step_3._Engaging_Rampart_and_setting_authen tication_information
