Resending without the cert .
I'm implementing a web service with security authentication (using plain text password passed in and a custom password handler callback). Everything works fine except for the fact that when a login/password fails authentication, the only resort is to throw a WSSecurityException or SoapFault. Given that the clients of the service are going to be using a GUI into which they explicitly login, getting username/password wrong is going to be a very common issue and shouldn't really result in a server-side exception. The only workaround I can think of is to: - Introduce some sort of interceptor on the service side to add header params for the username/password in the WSDL without necessarily defining a @WebParam() annotation in every single method. I saw something about this in the FAQ but if someone can give me a concrete example, that would be swell. - Have a custom interceptor that processes the username/password in the incoming header params, does the auth and sets some kind of result (lets say in a thread-local). Have the service invoker bypass the method execution and return without throwing an exception. Does this even make sense? Are there any alternate routes for achieving the basic goal of not throwing exceptions to signal client auth failure? Also, the PasswordDigest handler mechanism in some ways seems useless. The handler expects one to retrieve a plain text password given a user identity. That assumes people have access to plain-text passwords in the first place! We store one-way hashed passwords and I suspect this is very common and also recommended. So the digest service would be rather useless in this scenario. Thanks Karthik Abram
