If you're sending a password digest, you'll also need a nonce and a timestamp in your request to guard against replay attacks, which must be used when calculating the hash password--I'm unsure how solid CXF (or your web service provider) is in this regard. Plain text password w/SSL may be more secure for you.
Also, keep in mind password digest and password text are (unfortunately) handled *oppositely* in the service-side CallbackHandler (http://old.nabble.com/Using-WS-Security-UsernameToken-to-authenticate-users-and-populate--SecurityContexts-tp28165583p28168187.html), in one case the service-side handler must validate the incoming password, for the other it must supply the actual client-side password for the CXF infrastructure to validate. HTH, Glen Naresh Tallapelli wrote: > > Hi All, > > I am using cxf 2.1.2 version. I tried to implement ws security. I have > created passowrd call backs on both client and server sides. COnfigured > password type to "PasswordText". Then i was to able to get the password on > web services server side. > > But when i use password type to "PasswordDigest", password was sent to the > server in enrypted format. But when i call > "WSPasswordCallback.getPassword()" i am getting value as null. I am not > sure if i miss anything. > > Please help to resolve this issue. I need to send the password in > encrypted > way. > > Thank you, > Naresh. > > -- View this message in context: http://old.nabble.com/ws-security-password-digest-tp28249087p28258160.html Sent from the cxf-user mailing list archive at Nabble.com.
