Validating Passwords

Wed, 01 Mar 2006 10:30:00 -0800 

Can anyone explain how WSPasswordCallback.setPassword() works within the 
Password Callback Handler?

My code below is based on the example for validating a digested password. It 
loads a bean called 'cred' with the security information for the given user. It 
then checks the supplied password against the correct password by calling 
pc.setPassword(cred.password), at least that is my understanding of what 
setPassword() does.

My confusion happens when the client sends a clear text password instead of a 
digested one. This code then accepts any password!

I am sure I am missing something basic here. Can anyone explain it to me?

for (int i = 0; i < callbacks.length; i++)
        {
            // Get the login info passed to the WS
            if (callbacks[i] instanceof WSPasswordCallback == false)
            {   throw new UnsupportedCallbackException(callbacks[i], "LOGIN 
ERROR: Unrecognized Callback. Expected type WSPasswordCallback");
            }            
            WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
            
            String wsLogin = pc.getIdentifer();
            String wsPassword = pc.getPassword();        
            System.out.println("Web Service Login Values:");    
            System.out.println("    wsLogin = " + wsLogin);
            System.out.println("    wsPassword = " + wsPassword);

            // Get the info for this login
            LoginInfo cred;
            try
            {   
                cred = loginTool.getLoginInfo(wsLogin);
                if (cred == null)
                {   throw new IOException("LOGIN ERROR: The login '" + wsLogin 
+ "' and password given did not authenticate.");
                }
            }
            catch (SQLException e)
            {   throw new IOException("LOGIN ERROR: Unable to connect to the 
security repository. Failed with error message: " + e.getMessage());
            }
            System.out.println("Login '" + wsLogin + "' found in security 
repository for agency '" + cred.agency + "'.");
            
            // Validate the password given
            System.out.println("    Required Password = " + cred.password);
            System.out.println("    Password Before set = " + pc.getPassword());
            pc.setPassword(cred.password); // For digested password this 
computes an encrypted value that must equal the value sent
            System.out.println("    Password After set = " + pc.getPassword());
        }




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to