axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tania Marinova <>
Subject can I hide the plaintext username and password in my soap request with the securith header from javascript
Date Sun, 12 May 2013 16:07:38 GMT
 0 down vote favorite     I read that in WSS4J 1.6 the UsernameTokenProcessor in
The plaintext case has exactly the same behaviour as the digest 
case. The identifier is now WSPasswordCaItllback.USERNAME_TOKEN and not 
WSPasswordCallback.USERNAME_TOKEN_UNKNOWN, and the CallbackHandler does not do any authentication,
but must set the password on the callback. 
I want to ask - as in this case teh rampart engine will set the password only if the username
is correct can I do this:  
I store in a database the hashed value of "bob" username and the salt 
In my class  
•I get the stored password and hash  
•I hash pwcb.getIdentifier() with the same hash function 
•check if this hashed username is equal to the stored username 
if so - I set the password to bobPW 
Bu there is one problem - in the following soap request from 
jaavscript everyone with a simple view source can view the plain text 
username and password can I cahnge that what would you reccomend me  
"<?xml version=\"1.0\" encoding=\"utf-8\"?>" + "<soapenv:Envelope " +  "xmlns:soapenv=\"\"
" + "xmlns:nlo=\"http://nlo\">"+ "<soapenv:Header>"+ '<wsse:Security xmlns:wsse=\"\"
soapenv:mustUnderstand="1">'+ '<wsse:UsernameToken xmlns:wsu=""
wsu:Id="123">'+ '<wsse:Username>bob</wsse:Username>'+ '<wsse:Password Type="">bobPW</wsse:Password>'+
'</wsse:UsernameToken>'+ '</wsse:Security>'+ "</soapenv:Header>"+ "<soapenv:Body>"
+ "<nlo:getdataForChecking>" + '<nlo:data>'+tranXml+'</nlo:data>' + ' </nlo:getdataForChecking>'+
'</soapenv:Body>' + '</soapenv:Envelope>';   
View raw message