Hi, First off, I'm pretty new to all of this. I'm using ServiceMix 3.3.2.
I wanted to secure the cxf-wsdl-first example using WS-Sec and only a plaintext UsernameToken. I added a policy to the wsdl file, which you can fine here: http://old.nabble.com/file/p28700520/person.wsdl person.wsdl . I didn't really change anything else. My understanding was that the cxf-bc would just use JAAS out-of-the-box to authenticate a user. I guess I was wrong. I got an exception about the WSS4JInInterceptor's getPasswordCB containing a null reference. Looking throughout the web, I see that people explicitly add the WSS4JInInterceptor, with references their own password callbacks, which in turn also does some kind of password check. I'm confused, because now it looks to me like both WSS4J and JAAS are doing authentication. Is that correct? If so, why? I would like for there to only be one source for user info. Thanks, -- View this message in context: http://old.nabble.com/CXF-BC-WS-Sec-Auth-tp28700520p28700520.html Sent from the ServiceMix - User mailing list archive at Nabble.com.
