ws-security Hashed Password using CXF's JAASLoginInterceptor in JBossWS-CXF

Solution Verified - Updated -

Issue

  • We want to combine ws-security-UsernameToken with a securitydomain/JAAS with org.apache.cxf.interceptor.security.JAASLoginInterceptor.

  • The wsdl contains sp:UsernameToken sp:WssUsernameToken11 sp:HashPassword. Securitydomain is set in the jboss-web.xml to other.
    ws-security.validate.token is set to false in jaxws-endpoint-config.xml.

  • The problem: the hashed password from the soapheader is used to compare against the hashed-password from user.properties. When we don't hash the password (remove sp:HashPassword from the wsdl), the user is validated.

  • How can we validate a UsernameToken from the soapheader with a securitydomain ?

Environment

  • Red Hat JBoss Enterprise Application Platform
    • 6.x
  • JBossWS-CXF

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content