Hi, The CallbackHandler is only responsible for retrieving the (plaintext) password corresponding to the username that was received. It doesn't do any validation, that's done in the UsernameTokenValidator.
So for the use-case where you don't have access to the plaintext password, but instead know the hashed password to compare directly against the received hashed password, you could implement your own UsernameTokenValidator, and configure the CXF security runtime to use this validator for UsernameTokens. In this case, the CallbackHandler wouldn't retrieve any password, as it doesn't know how to access the plaintext password. Colm. On Thu, Feb 2, 2012 at 10:03 AM, Francisco Serrano <[email protected]> wrote: > Hi list, > > We are trying to integrate the STS into our solution for SSO but we > encountered an issue that is hard to solve. > > For the moment, the token validator uses a callback to be able to > verify the correct username and password to deliver the token. > > The problem appears when you need to store hashed passwords and check. > There would be needed some mechanism no to set the current password to the > WSPasswordCallback to be verified directly against the string value of the > password but to check it agains a hashed value. > > The following code is coming from the PasswordCallbackHandler: > > ----------------------------------------------------------------------------------------------------------------------------- > > public void handle(Callback[] callbacks) throws IOException, > UnsupportedCallbackException { > > if (getPasswords() == null || getPasswords().size() == 0) > return; > > for (int i = 0; i < callbacks.length; i++) { > if (callbacks[i] instanceof WSPasswordCallback) { // CXF > WSPasswordCallback pc = (WSPasswordCallback) callbacks[i]; > > String pw = getPasswords().get(pc.getIdentifier()); > pc.setPassword(pw); > } > } > } > > ----------------------------------------------------------------------------------------------------------------------------- > > The correct/original password and the one provided is evaluated at the > UsernameTokenValidator > (org.apache.ws.security.validate.UsernameTokenValidator). Method: > verifyDigestPassword (called from the "verifyPlaintextPassword" method). > > ----------------------------------------------------------------------------------------------------------------------------- > > if (!origPassword.equals(password)) { > throw new > WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION); > } > > ----------------------------------------------------------------------------------------------------------------------------- > > > I could imagine that it could be set a flag to indicate that the > password should be checked instead of compared and also the algorithm to be > used for the digest check. > > Any suggestion about how this could/should be done? Any other idea? > > Thanks in advance. > > Fran. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
