I have a working application that uses webservices using CXF with WS-Trust in JBoss 7.

I have a client, sts, and server. Client wants to make web-service calls to server.

Client provides CallbackHandler, which is called. When called with a WSPasswordCallback.identifier matching the user, I do a setPassword on it.

CXF client code proceeds by contacting the STS.

STS has a CallbackHandler as well. It is called, and when identifier matches the user name, I do a setPassword on it as well.

So far so good.

CXF (or JBoss) then insists on there being defined a security-domain in jboss-web.xml, or else it'll fail.

I configure a security-domain in standalone.xml, and have it use user/role files.

When I declare that user-name and password in it, and (I guess) when I provide a "friend" role (don't know if that's needed), then the whole thing clears and every works.

The problem: I want the application to allow a user to configure a password at runtime, both on the server and client sides.

The call-back handlers on both the client side and on the server side (in the sts), have the opportunity to query a database for the password.

But the password is getting verified TWICE ! Once right after the sts callback, and then it insists on verifying that password a second time with the security-domain specified in standalone.xml.

I don't want that second redundant authorization. Also, how the password is stored is highly proprietary. I don't want to have to write a global authenticaion security domain custom thingy of sorts.

And why should I, the password is already cleared once! Why again, and outside the app? Can't I completely handle authentication inside the application level?