Thanks, Great information also for people on axis2-dev[1]!
Next question, is it possible to get the username in the ServiceImplementation to check for rights to call a method? Is there a best practise on how to do this? Maybe adding a parameter to the messageContext in the PWCBHandler and reading it in the Service Impl? Thanx again in advance Stefan [1] https://issues.apache.org/jira/browse/AXIS2-3366 Nandana Mihindukulasooriya wrote: > Hi Stefan, > > Can someone please enlighten me why the PasswordCallBackHandler must also be >> available at the >> clientside? > > > Having a password callback at the client is NOT a MUST. You can use clients > options to provide more information. Please look at this tutorial [1]. > > >> Isn't there any other possibility to set the password that will be >> submitted by the client? > > > Yes, this can be done with the options approach. > > >> In my opinion it is a security matter to deliver the >> PasswordCallBackHandler class to the customers >> that use a client library. They can disassemble the class and see the logic >> how the password is >> checked at serverside. > > > Actually, as you may have already noticed, you don't need to hard code the > passwords in the password callback. You can take them from a database, LDAP > ( we do have some limitations here ) and do the authentication logic in the > password callback. > > Another Problem, i have to make the jars available at clientside that are >> needed at serverside in >> the PasswordCallBackHandler. >> Did i missed something to understand this? >> > > I think you are mislead by the samples here. Usually client and the service > uses two different password callbacks. So the client only need to have it's > password callback in it's classpath. For the service, it is the same. It > only needs have it's password callback class in it's class path. > > thanks, > nandana > > > [1] - > http://wso2.org/library/3190#Step_3._Engaging_Rampart_and_setting_authentication_information >
