Using WS-Security to authenticate when I don't know the password

Question

I'm using WSS4JInInterceptor to try to authenticate my client. I have been able to create a trivial example. However, I have a problem. In my application, I use the supplied user name and password to try to open a connection to the database. If the connection attempt is successful, the user has authenticated, otherwise, the login attempt gets rejected. Using WSS4JInInterceptor I need to implement a callback that returns the user's password. In my security scheme, I have no access to this password. How can I implement something like this?

Should I subclass WSS4JInInterceptor and hack it to provide the password?

Answer 1

Here you go: Below you wont find me using a call back handler, because wont really need that(Not saying you cant do it that way, but this is more simple).

<jaxws:endpoint id="myService" implementor="#myServiceImpl" address="/myService">
<jaxws:inInterceptors>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<ref bean="myServiceInterceptor"/>
</jaxws:inInterceptors>
<jaxws:properties>
<entry key="ws-security.ut.validator" value-ref="myServiceUsernameTokenValidator"/>
<jaxws:properties>
 </jaxws:endpoint>

<bean id=" myServiceInterceptor "   class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
 <constructor-arg>                              
 <map>
    <entry key="action" value="UsernameToken" />
    <entry key="passwordType" value="PasswordText" />
  </map>          
</constructor-arg>
</ bean>

In my myServiceUsernameTokenValidator , I am directly wiring up UserDetailService, getting the hashed password from DB, and then simply validate using

 stringDigester.matches(passwordText, passwordDigest)

Answer 2

Can't you authenticate and then retrieve the users password from the database? If you can request it, you might was well store it in the database. Of course, you then need to secure the password and/or database.