Validating wsse:Password Digest String

This section provides a tutorial example on how the SOAP message receiver should validate the password digest string in the wsse:Password element using the 'Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )' definition.

Now let's take a look at the SOAP request message generated by SoapUI from the previous tutorial. The full request message listed below was copied from the "Raw" tab on the request screen. Note that extra line breaks are added for formatting purpose.

<soapenv:Envelope xmlns:ser="http://www.herongyang.com/Service/"
   xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security 
   xmlns:wsse="http://docs.oasis-open.org/wss/2004/01
   /oasis-200401-wss-wssecurity-secext-1.0.xsd" 
   xmlns:wsu="http://docs.oasis-open.org/wss/2004/01
   /oasis-200401-wss-wssecurity-utility-1.0.xsd"
   >
<wsse:UsernameToken 
   wsu:Id="UsernameToken-0109E51EF61372671214033546017912">
<wsse:Username>herong</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01
   /oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
   PfZyE8nQQR2rAsODn7iVGaf8hD8=
   </wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01
   /oasis-200401-wss-soap-message-security-1.0#Base64Binary">
   0TBQcVnd9H4uGi1jGxqJWg==
   </wsse:Nonce>
<wsu:Created>2014-06-21T12:43:21.791Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ser:HelloRequest>Hello</ser:HelloRequest>
</soapenv:Body>
</soapenv:Envelope>

The "wsse:Security" SOAP header element looks good.

The receiver of this request should verify the password digest "PfZyE8nQQR2rAsODn7iVGaf8hD8=" based on the "Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )" definition to authenticate that the sender is "herong":

Note that password digest has been changed to the correct value of "PfZyE8nQQR2rAsODn7iVGaf8hD8=". The value, "SjUQn7b8qSr5x4WOg9YLieSe2to=", included in the previous version of the book was incorrect. Thanks to Kumar who reported the problem.

Last update: 2015.

Table of Contents

 About This Book

 Introduction to Web Service

 Introduction to SOAP (Simple Object Access Protocol)

 SOAP Message Structure

 SOAP Message Transmission and Processing

 SOAP Data Model

 SOAP Encoding

 SOAP RPC Presentation

 SOAP Properties Model

 SOAP Message Exchange Patterns

 SOAP HTTP Binding

 SOAP Perl Implementations

 SOAP PHP Implementations

 SOAP Java Implementations

 Perl SOAP::Lite - SOAP Server-Client Communication Module

 Perl Socket Test Program for HTTP and SOAP

 Perl SOAP::Lite for GetSpeech SOAP 1.1 Web Service

 Perl SOAP::Lite 0.710 for SOAP 1.2 Web Services

 Perl SOAP::Lite 0.710 for WSDL

 PHP SOAP Extension Client Programs

 PHP SOAP Extension Server Programs

 Java Socket and HttpURLConnection for SOAP

 SAAJ - SOAP with Attachments API for Java

 SoapUI - SOAP Web Service Testing Tool

WS-Security - SOAP Message Security Extension

 What Is WS-Security (WSS)?

 Using XML Signature and Encryption with WSS

 SOAP Header Element "Security"

 What Is WS-Security Username Token Profile?

 SoapUI Configuration for Username Token

 Generating Username Token with SoapUI

Validating wsse:Password Digest String

 Password Digest Validation Program

 WS-Security X.509 Certificate Token

 Web Services and SOAP Terminology

 References

 PDF Printing Version