<>Scenario:
网上服务生产商只拥有储存在数据库中的密码SHA-1。 我们需要使用用户名称/密码组合认证网络服务用户。
<>Web Services Securityuser 让我们能够为此目的增加肥皂头盔:
The element is introduced in the WSS: SOAP Message Security documents as a way of providing a username.
Within element, a element may be specified. Passwords of type PasswordText and PasswordDigest are not limited to actual passwords, although this is a common case. (146-151)
密码密码的类型意味着,如果我们不使用运输级安全机制,密码作为便捷文本放在电线上。 密码最能避免发送简单案文密码,并发送散页。 但是,为了避免再次攻击(即使用电线攻击者,以抓住破旧的密码,并根据另一项要求加以修改),“密码”在计算该散装之前添加了一个时间长度和随机编号。 这一增加导致以下限制:
Note that PasswordDigest can only be used if the plain text password (or password equivalent) is available to both the requestor and the recipient. (196-197)
But in our case we do not have plain text password. My question is: what alternates do we have other that to make plain text passwords available on the server?