Consuming a UsernameToken with PasswordDigest
By default, the web services security UsernameToken consumer, UNTConsumeLoginModule, only can consume tokens with a PasswordType of #PasswordText. When custom code is in place, UNTConsumeLoginModule can also consume tokens with PasswordType of #PasswordDigest.
About this task
The application server has access to user names in the user registry, but it does not have access to passwords. To validate a digested password, the application server compares the digested password in the inbound message to the digest of the password that matches the user name in the message. Because the application server cannot retrieve the known password for the user name in the inbound message from the user registry, the default implementation cannot validate a digested password. To use password digest, implement custom code to retrieve the known password. The custom code makes the known password available to the UsernameToken consumer so it can perform the password validation. The developer of the custom code decides on the implementation of the password retrieval, which can be performed through various methods. These methods include hardcoding the password in the custom code or looking up the password in a table on the local file system or on a database lookup. The implementation of the custom password lookup does not matter if it returns the valid known password for the user name.
If you want the UNTConsumeLoginModule to consume UsernameTokens with PasswordType of #PasswordDigest, you must either provide a callback handler that returns the password or a custom JAAS login module that validates the digested password in the token. This task describes how to implement the callback handler. If you want to use a custom JAAS login module instead, see Replacing the authentication method of the UsernameToken consumer using a stacked JAAS login module for instructions.
When you use this callback handler method, after the run time receives the password from the callback handler, it will digest the password then compare it to the Password in the UsernameToken element. If they match, the password in the UsernameToken object is replaced with the undigested password. This means that the username/password pair can now be used for registry checking by the UNTConsumeLoginModule class or the LoginProcessor class if a caller is configured for the UsernameToken.