Hi, I assume you use Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"; in your UsernameToken. In this case you should calculate secure hash value from original password get from persistence store and compare the values.
Accordingly specification (https://www.oasis-open.org/committees/download.php/13392/wss-v1.1-spec-pr-UsernameTokenProfile-01.htm) digest value is calculated using SHA-1 algorithm in following way: "Passwords of type PasswordDigest are defined as being the Base64 [XML-Schema] encoded, SHA-1 hash value, of the UTF8 encoded password (or equivalent)" If Username token contains <wsse:Nonce> and <wsu:Created>, the digest value must be calculated as: Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) ). The question is why you do not use standard approach with CallbackHandler, if you have all passwords available in persistence store: public class UTPasswordCallback implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { WSPasswordCallback pc = (WSPasswordCallback)callbacks[i]; // Get password from keystore based on user identifier here: String pass = persistenceStore.get(pc.getIdentifier()); if (pass != null) { pc.setPassword(pass); return; } } } } ... outProps.put("passwordCallbackClass", "demo.wssec.server.UTPasswordCallback"); ? Regards, Andrei. > -----Original Message----- > From: Paul Avijit [mailto:[email protected]] > Sent: Donnerstag, 8. Mai 2014 03:47 > To: [email protected] > Subject: WS-Security + Custom Authentication > > Hi, > > I am trying to do Custom Authentication of UsernameToken in WS-Security. I > have done the following: > > 1. Set ws-security.validate.token property in jaxws:endpoint to false 2. > Created > a custom authentication class, SoapLoginInterceptor by extending > AbstractPhaseInterceptor<Message> 3. Configured SoapLoginInterceptor in > jaxws:inInterceptors 4. In handleMessage(Message message) method of > SoapLoginInterceptor I get the Username and Password which are present in > the SOAP message header 5. The password is PasswordDigest so I get the > encrypted password in SoapLoginInterceptor > > > How can I use this encrypted password to compare with the actual password > that I get from the persistence store. Please help. > > Thanks in advance. > > Regards > Paul
