The issue with password digest is you have to store passwords in persistent store as plain text. This should be ringing alarm bells for anyone. On 17/05/2014 4:59 AM, "Andrei Shakirin" <[email protected]> wrote:
> Hi, > > I assume you use Type=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"; > in your UsernameToken. > In this case you should calculate secure hash value from original password > get from persistence store and compare the values. > > Accordingly specification ( > https://www.oasis-open.org/committees/download.php/13392/wss-v1.1-spec-pr-UsernameTokenProfile-01.htm) > digest value is calculated using SHA-1 algorithm in following way: > "Passwords of type PasswordDigest are defined as being the Base64 > [XML-Schema] encoded, SHA-1 hash value, of the UTF8 encoded password (or > equivalent)" > > If Username token contains <wsse:Nonce> and <wsu:Created>, the digest > value must be calculated as: > Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) ). > > > The question is why you do not use standard approach with CallbackHandler, > if you have all passwords available in persistence store: > > public class UTPasswordCallback implements CallbackHandler { > public void handle(Callback[] callbacks) throws IOException, > UnsupportedCallbackException { > for (int i = 0; i < callbacks.length; i++) { > WSPasswordCallback pc = (WSPasswordCallback)callbacks[i]; > > // Get password from keystore based on user identifier here: > String pass = persistenceStore.get(pc.getIdentifier()); > if (pass != null) { > pc.setPassword(pass); > return; > } > } > } > } > > ... > outProps.put("passwordCallbackClass", > "demo.wssec.server.UTPasswordCallback"); > > ? > > Regards, > Andrei. > > > -----Original Message----- > > From: Paul Avijit [mailto:[email protected]] > > Sent: Donnerstag, 8. Mai 2014 03:47 > > To: [email protected] > > Subject: WS-Security + Custom Authentication > > > > Hi, > > > > I am trying to do Custom Authentication of UsernameToken in WS-Security. > I > > have done the following: > > > > 1. Set ws-security.validate.token property in jaxws:endpoint to false 2. > Created > > a custom authentication class, SoapLoginInterceptor by extending > > AbstractPhaseInterceptor<Message> 3. Configured SoapLoginInterceptor in > > jaxws:inInterceptors 4. In handleMessage(Message message) method of > > SoapLoginInterceptor I get the Username and Password which are present in > > the SOAP message header 5. The password is PasswordDigest so I get the > > encrypted password in SoapLoginInterceptor > > > > > > How can I use this encrypted password to compare with the actual password > > that I get from the persistence store. Please help. > > > > Thanks in advance. > > > > Regards > > Paul >
