see XFIRE-916. It may help you understand things a little bit more clearly. (Ignore the fact that it is Acegi-Security based).
XFire (server side) will allow you to get the username and password values, but it will NOT authenticate for you. You must provide another InHandler that uses these values to performa authn. In this particular case, it seems that you already have an authentication service, so you would need to send the credentials to that service. If something goes wrong, I guess the most logical thing to do is throw an exception, but that is up to you. Also, UsernameToken can be sent as plain text or hashed. Hashed provides no additional security, so you are ok with plain text. Just make sure (a) your channel is secure (b) you use encryption. regards Andres B. On 3/24/07, odoepner <[EMAIL PROTECTED]> wrote:
Hello, I am having exactly the same situation here: - We use XFire on the server side to expose a Webservice that calls EJB methods. - the XFire webservice is deployed as a webapp in the J2EE server (JBoss or Weblogic). - We want to use WS-Security with User Tokens (plain passwords). - We want to authenticate username/password against the J2EE server. I need username and password to authenticate against the J2EE server (by creating an InitialContect with the username as SECURITY_PRINCIPAL and password as SECURITY_CREDENTIAL). I can't do that in the PasswordHandler since - as far as I understand - it has no access to the password that the client sent. But If I don't implement the PasswordHandler (i.e. don't provide an "expected" password) then the WSHandler throws an exception. I thought I could do the authentication in the ValidateUserTokenHandler using the principal that is extracted from the WS-Results Vectors. But since I always get an exception in the WSHandler the ValidateUserTokenHandler is never called. How can I solve this problem? Oliver Doepner TRynne wrote: > > > I am trying to use WS-Security with xfire but I am having trouble > understanding what is needed in order to authenticate against a 3rd party > system. > > Essentially I am trying to use xfire as a proxy for an existing system. > Users can already login to the jboss based system with a swing interface. > I > am trying to create an xfire based webapp which logs into the jboss > application with a username and password provided via. the soap > WS-Security > headers. > > These are my assumptions. Please tell me if any of them are wrong. > -The password must be sent plaintext as otherwise I can not use it to > login to the 3rd party system. > -When using plaintext passwords by default no authentication of the > password is performed. > -At a later date the plaintext password header could be encrypted with a > local private key and decrypted using a matching public key held on the > server. > > The problem I have now is that I do not know where to perform the actual > verification of the username and password and what I should do if the > password is not correct. > > I am also confused by the difference between the PasswordHandler and > ValidateUserTokenHandler. > > My current thinking is that the PasswordHandler, on the server, is used to > get the user plain text password when hashed passwords are used. So in my > case I can ignore it. > > ValidateUserTokenHandler could be the thing I am looking for (the place to > validate the username+password with the 3rd party system) but if that is > the case what do I do if it fails? > > thanks for any pointers > Thomas > > -- View this message in context: http://www.nabble.com/3rd-party-authentication-tf2424006.html#a9653997 Sent from the XFire - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe from this list please visit: http://xircles.codehaus.org/manage_email
