cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Mazza <>
Subject Re: Container validation of UsernameToken passwords?
Date Sat, 15 Dec 2012 00:17:24 GMT
OK, I just debugged the Metro source code to determine how they can read the
Tomcat tomcat-users.xml file in order to do validation of UsernameToken

Basically, if no sc:ValidatorConfiguration defined in the service-side WSDL:

Then, the conditional at Metro's
DefaultSecurityEnvironmentImpl.authenticateUser() line #1167 will not be

...and hence the line at 1173 (to check the Tomcat password file) is done
instead, in class DefaultRealmAuthenticationAdapter.authenticate():

As you can see from the above class, Metro can do this for Tomcat and
GlassFish only, not all servlet containers; furthermore it just relies on
system variables to hunt down the location of the tomcat-users.xml and read
usernames and passwords from it.  (For GlassFish, as shown in that same
class, it attempts to load a GlassFish callback handler of some sort,
instead of reading a file.)


View this message in context:
Sent from the cxf-dev mailing list archive at

View raw message