Home/ Questions/Q 9322703
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-19T04:09:34+00:00

Due to the ambition to keep the web services as stateless as possible, I’ve

  • 0

Due to the ambition to keep the web services as stateless as possible, I’ve encountered a problem. I recently started to work with Axis2 and have tried to find a viable authentication solution. With authentication, I mean user/password. I am already using SSL in combination with WS-Policy to secure the procedure calls.

However, I found some of the samples bundled with Rampart 1.6.2 to be outdated, especially the policy example named “sample-tomcat” and their WSPasswordCallback handler (found here). WSPasswordCallback.USERNAME_TOKEN_UNKNOWN is deprecated in 1.6 and WSPasswordCallback.getPassword() always return null, even though a password is supplied within the UsernameToken element in the security headers of the message.

So. I’m unsure where to proceed to get a username/password check for every message. I am looking at these two options:

  1. Writing a module with a handler that performs username/password authentication.

  2. Giving up statelessness and writing a login-service returning tokens needed by all other services.

Are there other options?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Actually, according to WSS4J developer Colm O Heigeartaigh, it was more strange before the change to work with validator interfaces, see his first, his second and his third blog posts about the new validator design in WSS4J 1.6.

    The WSPasswordCallback shouldn’t handle authentication, it is thought of as bad design and against separation of concerns, and therefor they (WSS4J developers) rewrote this part of WSS4J.

    However, as far as I know, Rampart dev team haven’t yet implemented a way for developers to apply custom validators, nor is there a way to apply WSS4J validators such as the NoOpValidator – even though it’s available in WSS4J. There is an issue registered in their (Rampart’s) project JIRA (read it here), but it has a low priority and as of the moment this is being written; that issue is not included in the next minor (1.6.3) or major (1.7.0) release.

    So, you will have to do either of following three things, in order of my own preference:

    • Use transport layer based authentication ,I would recommend auth headers with HTTPS transport.
    • Downgrade Axis2 and Rampart to 1.5.x, which is still maintained (critical bug fixes).
    • Edit source of wss4j and compile a new jar.
    • Write a module for Axis2 that solves this.

    If there are additional solutions/workarounds, please feel free to comment/correct me.

    • 0