ws-security Hashed Password using CXF's JAASLoginInterceptor in JBossWS-CXF

Solution Verified - Updated -

Issue

  • We want to combine ws-security-UsernameToken with a securitydomain/JAAS with org.apache.cxf.interceptor.security.JAASLoginInterceptor.
  • The wsdl contains sp:UsernameToken sp:WssUsernameToken11 sp:HashPassword. Securitydomain is set in the jboss-web.xml to other.
    ws-security.validate.token is set to false in jaxws-endpoint-config.xml.

  • The problem: the hashed password from the soapheader is used to compare against the hashed-password from user.properties. When we don't hash the password (remove sp:HashPassword from the wsdl), the user is validated.

  • How can we validate a UsernameToken from the soapheader with a securitydomain ?

Environment

  • Red Hat JBoss Enterprise Application Platform
    • 6.x
  • JBossWS-CXF

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.