Return-Path: 
 <java-user-return-87263-apmail-axis-java-user-archive=axis.apache.org@axis.apache.org>
X-Original-To: apmail-axis-java-user-archive@www.apache.org
Delivered-To: apmail-axis-java-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id A18D7D0B6
	for <apmail-axis-java-user-archive@www.apache.org>;
 Tue,  5 Mar 2013 20:46:17 +0000 (UTC)
Received: (qmail 45964 invoked by uid 500); 5 Mar 2013 20:46:16 -0000
Delivered-To: apmail-axis-java-user-archive@axis.apache.org
Received: (qmail 45911 invoked by uid 500); 5 Mar 2013 20:46:16 -0000
Mailing-List: contact java-user-help@axis.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:java-user-help@axis.apache.org>
List-Unsubscribe: <mailto:java-user-unsubscribe@axis.apache.org>
List-Post: <mailto:java-user@axis.apache.org>
List-Id: <java-user.axis.apache.org>
Reply-To: java-user@axis.apache.org
Delivered-To: mailing list java-user@axis.apache.org
Received: (qmail 45903 invoked by uid 99); 5 Mar 2013 20:46:16 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Mar 2013 20:46:16 +0000
X-ASF-Spam-Status: No, hits=2.2 required=5.0
	tests=HTML_MESSAGE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [208.200.184.20] (HELO smtp.cgifederal.com) (208.200.184.20)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Mar 2013 20:46:11 +0000
X-Sender-IP: 10.128.16.50
X-Sender-Reputation: None
X-IronPort-AV: E=Sophos;i="4.84,790,1355115600";
   d="scan'208,217";a="53652077"
Received: from unknown (HELO FFX-S-EX-A1.cgifederal.com) ([10.128.16.50])
  by smtp.cgifederal.com with ESMTP/TLS/AES128-SHA; 05 Mar 2013 15:47:54 -0500
Received: from FFX-S-EX-C1.cgifederal.com ([169.254.2.35]) by
 FFX-S-EX-A1.cgifederal.com ([10.128.16.50]) with mapi id 14.02.0247.003; Tue,
 5 Mar 2013 15:48:03 -0500
From: "Shah, Sumit (CGI Federal)" <Sumit.Shah@cgifederal.com>
To: "java-user@axis.apache.org" <java-user@axis.apache.org>
Subject: Rampart and WSS4J 1.6.x - USERNAME_TOKEN validation in Rampart
 WS-Password Callback Handler
Thread-Topic: Rampart and WSS4J 1.6.x - USERNAME_TOKEN validation in Rampart
 WS-Password Callback Handler
Thread-Index: Ac4Z4rq21a3y+t7bRRmh1yayD0r2QQ==
Date: Tue, 5 Mar 2013 20:48:02 +0000
Message-ID: 
 <3357D2C72D9A0345A66DFB0B043C04166C9B0864@FFX-S-EX-C1.cgifederal.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [172.16.36.136]
Content-Type: multipart/alternative;
	boundary="_000_3357D2C72D9A0345A66DFB0B043C04166C9B0864FFXSEXC1cgifede_"
MIME-Version: 1.0
X-Virus-Checked: Checked by ClamAV on apache.org

--_000_3357D2C72D9A0345A66DFB0B043C04166C9B0864FFXSEXC1cgifede_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

WSS4j 1.6.x deprecated the use of WSPasswordCallback.USERNAME_TOKEN_UNKNOWN=
 (http://coheigea.blogspot.com/2011/02/usernametoken-processing-changes-in.=
html) which was one of the methods to validate the plain text passwords on =
the server side (@see Rampart Policy Sample01). Now,  because of the deprec=
ation it does not seem to be possible to validate plaintext password, espec=
ially when the server side callback handler does not have access to the pla=
in text password to validate against the password on the incoming request. =
It seems like CXF has a way to plugin custom validators for WSS4J 1.6.x to =
support this model (http://coheigea.blogspot.com/2011/06/custom-token-valid=
ation-in-apache-cxf.html).

I would appreciate any thoughts from the community. Maybe I am missing some=
thing.

Thanks
Sumit

--_000_3357D2C72D9A0345A66DFB0B043C04166C9B0864FFXSEXC1cgifede_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">WSS4j 1.6.x deprecated the use of <span style=3D"fon=
t-size:10.0pt;font-family:Consolas;color:black">
WSPasswordCallback.USERNAME_TOKEN_UNKNOWN (http://coheigea.blogspot.com/201=
1/02/usernametoken-processing-changes-in.html) which was one of the methods=
 to validate the plain text passwords on the server side (@see Rampart Poli=
cy Sample01). Now,&nbsp; because of the
 deprecation it does not seem to be possible to validate plaintext password=
, especially when the server side callback handler does not have access to =
the plain text password to validate against the password on the incoming re=
quest. It seems like CXF has a way
 to plugin custom validators for WSS4J 1.6.x to support this model (http://=
coheigea.blogspot.com/2011/06/custom-token-validation-in-apache-cxf.html).
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:Consolas=
;color:black"><o:p>&nbsp;</o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:Consolas=
;color:black">I would appreciate any thoughts from the community. Maybe I a=
m missing something.
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:Consolas=
;color:black"><o:p>&nbsp;</o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:Consolas=
;color:black">Thanks<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:Consolas=
;color:black">Sumit</span><o:p></o:p></p>
</div>
</body>
</html>

--_000_3357D2C72D9A0345A66DFB0B043C04166C9B0864FFXSEXC1cgifede_--