I am integrating the WS-Security UserNameToken approach to our existing
application. The existing application stores the password in one-way hashing
format with the following code snippet (plaintext is the plain password text
and we use https)
------------------------------------------------------
MessageDigest md = MessageDigest.getInstance("SHA");
md.update(plaintext.getBytes("UTF-8"));
byte raw[] = md.digest();
String hash = (new BASE64Encoder()).encode(raw);
String newPassword = hash.substring(0,19);
------------------------------------------------------
I tried both PasswordDigest and PasswordText, but the security token can not
be authenticated.
WSSecurityException: The security token could not be authenticated or
authorized at
org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:129)
How do I specify the encrypt/hash algorithm? or should I hash the
INPUT-password using the above code first and then set the database hashed
password WSPasswordCallback.setPassword or just bypass the
WSPasswordCallback.handleUserNameToken by comparing those two
programmatically?
Any idea? What's the best practice?
Thanks,
Mark
--
View this message in context:
http://www.nabble.com/WS-Security--UserNameToken--against-encrypted-database-password-tp20737774p20737774.html
Sent from the cxf-user mailing list archive at Nabble.com.
