Mark2008 wrote: > > Hi Mayank, > > Thanks for the reply. > 1. It works if I set the WSPasswordCallback.setPassword in my > PasswordCallbackHandler class to the plain-password-text for both > PasswordDigest and PasswordText method. > > 2. If I uses the hashed password (loaded from our database) in my > PasswordCallbackHandler class, it throws exception. > > 3. The password I passed in is absolutely right because I am able to login > to the web application using that uid/pwd. > > How does the UsernameTokenProcessor.handleUsernameToken know how to handle > the hashed-password-text from the dabase? They may uses different > algorithm to hash and store to database. The code snippet I posted is the > what we uses to hash the password before store it to database. >
I believe if you're using SSL anyway, it is best to use a plaintext password because of the very problem that you're giving, namely, that password digest requires that the client use the same hash algorithm as the database, information that you normally don't want to give out (or is otherwise strange to give out). In the book SOA Security (Manning publ.) this very point is given as the main disadvantage to the password digest format. Basically, if the password you are comparing against is stored in the DB in encrypted format, use the plaintext passwords over SSL for the SOAP call. Glen -- View this message in context: http://www.nabble.com/WS-Security--UserNameToken--against-encrypted-database-password-tp20737774p20741394.html Sent from the cxf-user mailing list archive at Nabble.com.
