I'm pretty sure that the password callback is asking your for the plain text password for the user in this scenario. If you look at the WS-Security UsernameToken Profile [1], the digest algorithm requires both parties to be able to access a plain-text password or password equivalent to create/verify a password digest. See the WSPasswordCallback JavaDoc for more info [2]. I think the usage will be USERNAME_TOKEN instead of USERNAME_TOKEN_UNKNOWN.
WSS4J's callback handler is expecting you to look at the username in the callback and provide a plain-text password for that user. WSS4J will then use the plain-text password to verify the digest value provided in the request. You should be aware that a digest password is not the same as an encrypted password. They are different cryptographic activities and provide different levels of security on password confidentiality. [1] http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pd f [2] http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/WSPasswordCallback .html -----Original Message----- From: Naresh Tallapelli [mailto:[email protected]] Sent: Wednesday, April 14, 2010 6:22 PM To: [email protected]; [email protected] Subject: ws security password digest Hi All, I am using cxf 2.1.2 version. I tried to implement ws security. I have created passowrd call backs on both client and server sides. COnfigured password type to "PasswordText". Then i was to able to get the password on web services server side. But when i use password type to "PasswordDigest", password was sent to the server in enrypted format. But when i call "WSPasswordCallback.getPassword()" i am getting value as null. I am not sure if i miss anything. Please help to resolve this issue. I need to send the password in encrypted way. Thank you, Naresh.
