cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark2008 <mhuan...@gmail.com>
Subject Re: WS-Security [UserNameToken] against encrypted database password
Date Sat, 29 Nov 2008 02:38:26 GMT



Mark2008 wrote:
> 
> I am integrating the WS-Security UserNameToken approach to our existing
> application. The existing application stores the password in one-way
> hashing format with the following code snippet (plaintext is the plain
> password text and we use https)
> 
> ------------------------------------------------------
> MessageDigest md = MessageDigest.getInstance("SHA");
> md.update(plaintext.getBytes("UTF-8"));
> byte raw[] = md.digest();
> String hash = (new BASE64Encoder()).encode(raw);
> String newPassword = hash.substring(0,19); 
> ------------------------------------------------------
> 
> I tried both PasswordDigest and PasswordText, but the security token can
> not be authenticated.
> WSSecurityException: The security token could not be authenticated or
> authorized at
> org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:129)
> 
> How do I specify the encrypt/hash algorithm? or should I hash the
> INPUT-password using the above code first and then set the database hashed
> password WSPasswordCallback.setPassword or just bypass the
> WSPasswordCallback.handleUserNameToken by comparing those two
> programmatically?
> 
> Any idea? What's the best practice? 
> 
> Thanks,
> 
> Mark
> 
> 

-- 
View this message in context: http://www.nabble.com/WS-Security--UserNameToken--against-encrypted-database-password-tp20737774p20743275.html
Sent from the cxf-user mailing list archive at Nabble.com.


Mime
View raw message