Hi, When I was using interceptors I utilised the ws-security.validate.token to disable validation of the username / password. Instead I added a UsernamePasswordAuthentication (extends AbstractUsernameTokenInInterceptor) interceptor which utilised a spring AuthenticationManager to authenticate the user and create a spring SecurityContext.
What is the recommended approach for ws policy? Is the CallbackHandler the way to do it, or should I be using a custom UT validator? I have been looking for best practice in this area but have not found anything. I have all my ldap configuration setup in spring and all my web services are using spring @PreAuthorise, so I want to continue to have this functionality. I am assuming I probably need to use the callback handler, but wanted to make sure I was not missing anything.
