I have a working application that uses webservices using CXF with WS-Trust in JBoss 7.
I have a client, sts, and server. Client wants to make web-service calls to server.
Client provides CallbackHandler, which is called. When called with a WSPasswordCallback.identifier matching the user, I do a setPassword on it.
CXF client code proceeds by contacting the STS.
STS has a CallbackHandler as well. It is called, and when identifier matches the user name, I do a setPassword on it as well.
So far so good.
CXF (or JBoss) then insists on there being defined a security-domain in jboss-web.xml, or else it'll fail.
I configure a security-domain in standalone.xml, and have it use user/role files.
When I declare that user-name and password in it, and (I guess) when I provide a "friend" role (don't know if that's needed), then the whole thing clears and every works.
The problem: I want the application to allow a user to configure a password at runtime, both on the server and client sides.
The call-back handlers on both the client side and on the server side (in the sts), have the opportunity to query a database for the password.
But the password is getting verified TWICE ! Once right after the sts callback, and then it insists on verifying that password a second time with the security-domain specified in standalone.xml.
I don't want that second redundant authorization. Also, how the password is stored is highly proprietary. I don't want to have to write a global authenticaion security domain custom thingy of sorts.
And why should I, the password is already cleared once! Why again, and outside the app? Can't I completely handle authentication inside the application level?