Hi Mayank,
Thanks for the reply.
1. It works if I set the WSPasswordCallback.setPassword in my
PasswordCallbackHandler class to the plain-password-text for both
PasswordDigest and PasswordText method.
2. If I uses the hashed password (loaded from our database) in my
PasswordCallbackHandler class, it throws exception.
3. The password I passed in is absolutely right because I am able to login
to the web application using that uid/pwd.
How does the UsernameTokenProcessor.handleUsernameToken know how to handle
the hashed-password-text from the dabase? They may uses different algorithm
to hash and store to database. The code snippet I posted is the what we uses
to hash the password before store it to database.
Can you explain more on your idea? I am a little bit confused.
Thanks,
Mark2008 wrote:
>
> I am integrating the WS-Security UserNameToken approach to our existing
> application. The existing application stores the password in one-way
> hashing format with the following code snippet (plaintext is the plain
> password text and we use https)
>
> ------------------------------------------------------
> MessageDigest md = MessageDigest.getInstance("SHA");
> md.update(plaintext.getBytes("UTF-8"));
> byte raw[] = md.digest();
> String hash = (new BASE64Encoder()).encode(raw);
> String newPassword = hash.substring(0,19);
> ------------------------------------------------------
>
> I tried both PasswordDigest and PasswordText, but the security token can
> not be authenticated.
> WSSecurityException: The security token could not be authenticated or
> authorized at
> org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:129)
>
> How do I specify the encrypt/hash algorithm? or should I hash the
> INPUT-password using the above code first and then set the database hashed
> password WSPasswordCallback.setPassword or just bypass the
> WSPasswordCallback.handleUserNameToken by comparing those two
> programmatically?
>
> Any idea? What's the best practice?
>
> Thanks,
>
> Mark
>
>
--
View this message in context:
http://www.nabble.com/WS-Security--UserNameToken--against-encrypted-database-password-tp20737774p20739494.html
Sent from the cxf-user mailing list archive at Nabble.com.
