posted 18 years ago
You may have figured it out by now, but in case you're using something like WSS4J, instead of using
<parameter name="passwordType" value="PasswordText"/>
you would use
<parameter name="passwordType" value="PasswordDigest"/>
while in your server-side PasswordCallback, you need to set the password that you're expecting for the user, instead of getting it. That's because a digested password can't be undigested into cleartext, but the expected password needs to be digested as well.