Mark2008 wrote:
I am integrating the WS-Security UserNameToken approach to our existing
application. The existing application stores the password in one-way hashing
format with the following code snippet (plaintext is the plain password text
and we use https)
------------------------------------------------------
MessageDigest md = MessageDigest.getInstance("SHA");
md.update(plaintext.getBytes("UTF-8"));
byte raw[] = md.digest();
String hash = (new BASE64Encoder()).encode(raw);
String newPassword = hash.substring(0,19);
------------------------------------------------------
I tried both PasswordDigest and PasswordText, but the security token can not
be authenticated.
WSSecurityException: The security token could not be authenticated or
authorized at
org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:129)
How do I specify the encrypt/hash algorithm? or should I hash the
INPUT-password using the above code first and then set the database hashed
password WSPasswordCallback.setPassword or just bypass the
WSPasswordCallback.handleUserNameToken by comparing those two
programmatically?
Hi Mark,
You can use either of Password Digest or Password Hash, it should work.
You can provide a PasswordCallBackHandler class, and can set Password
for the Identifier as UserName_Token.
The security entropy of Username Token is less hence I remember that I
read somewhere that they are not recommended to be used for Signature
and Encryption operations.
With Regards,
Mayank
Any idea? What's the best practice?
Thanks,
Mark
