cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Mazza <>
Subject Re: Using WS-Security UsernameToken to authenticate users and populate SecurityContexts
Date Wed, 07 Apr 2010 17:25:46 GMT


On Wed, Apr 7, 2010 at 5:12 PM, Glen Mazza <> wrote:

> Sergey, be careful with your first reason--that of using the
> CallbackHandlers
> to *return* passwords, that's an old erroneous design apparently since
> fixed
> in WSS4J ( that should not
> necessarily be used as a reason for doing what you're doing--that process
> should be taken out of CXF instead when it upgrades to the new WSS4J.

>I'm sorry but this does [not] sounds convincing. You're kind of indicating
>what is proposed is not good enough ? But you have not said anything about
the authorization.
>WSS4J is restricting with respects to digests at thje moment but as I said,
>we're after the authorization here.

All I'm saying is that if you're using the argument of "CXF requires
passwords to be supplied in the CallbackHandlers!" as a reason for doing
what you're doing, that's not valid anymore because that problem is fixed
with the new WSS4J.  I'm sure however there are plenty of other good reasons
for doing what you're doing, it's just that that particular one should soon
no longer be relevant.  I was also mentioning this to you in case you were
unaware of the problem and were thinking of a solution which involved the
Callbackhandler continuing to serve its erroneous dual role
(, of validating credentials
for password text and providing credentials for password digest for some
higher entity to validate.

> Actually, I think Metro does what you want--allows the option for
> container-managed authentication *without* the callbackhandler
> (
> ).
> If you can repeat the same with CXF, great!

> I really don't follow why you refer to Metro, what is to do with the use
> of
> CXF ?

It was meant as a sanity check that whatever you are proposing is also being
done by another web service stack.  But I misunderstood what you were
proposing, hence what I was saying above is not relevant.  You're talking
about authorization, not authentication.  Never mind.


View this message in context:
Sent from the cxf-dev mailing list archive at

View raw message