Glen,
On Wed, Apr 7, 2010 at 5:12 PM, Glen Mazza <glen.ma...@gmail.com> wrote: > > Sergey, be careful with your first reason--that of using the > CallbackHandlers > to *return* passwords, that's an old erroneous design apparently since > fixed > in WSS4J (https://issues.apache.org/jira/browse/WSS-183) that should not > necessarily be used as a reason for doing what you're doing--that process > should be taken out of CXF instead when it upgrades to the new WSS4J. > >I'm sorry but this does [not] sounds convincing. You're kind of indicating that >what is proposed is not good enough ? But you have not said anything about the authorization. >WSS4J is restricting with respects to digests at thje moment but as I said, >we're after the authorization here. All I'm saying is that if you're using the argument of "CXF requires passwords to be supplied in the CallbackHandlers!" as a reason for doing what you're doing, that's not valid anymore because that problem is fixed with the new WSS4J. I'm sure however there are plenty of other good reasons for doing what you're doing, it's just that that particular one should soon no longer be relevant. I was also mentioning this to you in case you were unaware of the problem and were thinking of a solution which involved the Callbackhandler continuing to serve its erroneous dual role (https://issues.apache.org/jira/browse/WSS-183, https://issues.apache.org/jira/browse/CXF-2150) of validating credentials for password text and providing credentials for password digest for some higher entity to validate. > > Actually, I think Metro does what you want--allows the option for > container-managed authentication *without* the callbackhandler > (http://www.jroller.com/gmazza/entry/metro_usernametoken_profile#MetroUT3 > ). > If you can repeat the same with CXF, great! > > I really don't follow why you refer to Metro, what is to do with the use > of > CXF ? It was meant as a sanity check that whatever you are proposing is also being done by another web service stack. But I misunderstood what you were proposing, hence what I was saying above is not relevant. You're talking about authorization, not authentication. Never mind. Glen -- View this message in context: http://old.nabble.com/Using-WS-Security-UsernameToken-to-authenticate-users-and-populate--SecurityContexts-tp28165583p28168187.html Sent from the cxf-dev mailing list archive at Nabble.com.
