Hello, I am having exactly the same situation here:
- We use XFire on the server side to expose a Webservice that calls EJB methods. - the XFire webservice is deployed as a webapp in the J2EE server (JBoss or Weblogic). - We want to use WS-Security with User Tokens (plain passwords). - We want to authenticate username/password against the J2EE server. I need username and password to authenticate against the J2EE server (by creating an InitialContect with the username as SECURITY_PRINCIPAL and password as SECURITY_CREDENTIAL). I can't do that in the PasswordHandler since - as far as I understand - it has no access to the password that the client sent. But If I don't implement the PasswordHandler (i.e. don't provide an "expected" password) then the WSHandler throws an exception. I thought I could do the authentication in the ValidateUserTokenHandler using the principal that is extracted from the WS-Results Vectors. But since I always get an exception in the WSHandler the ValidateUserTokenHandler is never called. How can I solve this problem? Oliver Doepner TRynne wrote: > > > I am trying to use WS-Security with xfire but I am having trouble > understanding what is needed in order to authenticate against a 3rd party > system. > > Essentially I am trying to use xfire as a proxy for an existing system. > Users can already login to the jboss based system with a swing interface. > I > am trying to create an xfire based webapp which logs into the jboss > application with a username and password provided via. the soap > WS-Security > headers. > > These are my assumptions. Please tell me if any of them are wrong. > -The password must be sent plaintext as otherwise I can not use it to > login to the 3rd party system. > -When using plaintext passwords by default no authentication of the > password is performed. > -At a later date the plaintext password header could be encrypted with a > local private key and decrypted using a matching public key held on the > server. > > The problem I have now is that I do not know where to perform the actual > verification of the username and password and what I should do if the > password is not correct. > > I am also confused by the difference between the PasswordHandler and > ValidateUserTokenHandler. > > My current thinking is that the PasswordHandler, on the server, is used to > get the user plain text password when hashed passwords are used. So in my > case I can ignore it. > > ValidateUserTokenHandler could be the thing I am looking for (the place to > validate the username+password with the 3rd party system) but if that is > the case what do I do if it fails? > > thanks for any pointers > Thomas > > -- View this message in context: http://www.nabble.com/3rd-party-authentication-tf2424006.html#a9653997 Sent from the XFire - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe from this list please visit: http://xircles.codehaus.org/manage_email
