SOAP Web Service Tutorials - Herong's Tutorial Examples - v5.13, by Herong Yang
What Is WS-Security Username Token Profile
This section describes the WS-Security Username Token Profile standard describing the profile (specific mechanisms and procedures) on username and password can be passed and how to prevent replay attacks.
What Is "WS-Security Username Token Profile"? WS-Security Username Token Profile is an OASIS specification that describes the profile (specific mechanisms and procedures) on how the "UsernameToken" element defined in WS-Security standard can be used as a means of identifying the sender by "username", and optionally using a password (or shared secret, or password equivalent) to authenticate that identity to the SOAP message receiver.
Here are 2 options specified in WS-Security Username Token Profile 1.1.1:
"#PasswordText" Option - This is the default option, in which password is passed as clear text. This is acceptable, if the SOAP message is dent over a secure communication channel like HTTPS. Here is an example:
<soap:Envelope xmlns:soap="..." xmlns:wsse="..."> <soap:Header> <wsse:Security> <wsse:UsernameToken> <wsse:Username>herong</wsse:Username> <wsse:Password>IloveDogs</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soap:Header> ... </soap:Envelope>
"#PasswordDigest" Option - This is a more complex option, in which password is passed as hash digest with "Nonce" and "Created" elements to hide the original password and to prevent replay attacks:
<soap:Envelope xmlns:soap="..." xmlns:wsse="..." xmlns:wsu= "..."> <soap:Header> <wsse:Security> <wsse:UsernameToken> <wsse:Username>NNK</wsse:Username> <wsse:Password Type="...#PasswordDigest"> weYI3nXd8LjMNVksCKFV8t3rgHh3Rw==</wsse:Password> <wsse:Nonce>WScqanjCEAC4mQoBE07sAQ==</wsse:Nonce> <wsu:Created>2003-07-16T01:24:32Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soap:Header> </soap:Envelope>
Notes on option 2:
The "#PasswordDigest" algorithm is defined by the following formula:
Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )
The receiver of the SOAP message using a "#PasswordDigest" UsernameToken should performing validations listed below:
For more information, see the full specification at http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf
Table of Contents
Introduction to SOAP (Simple Object Access Protocol)
SOAP Message Transmission and Processing
SOAP MEP (Message Exchange Patterns)
PHP SOAP Extension Client Programs
PHP SOAP Extension Server Programs
PHP SOAP Web Service Example - getTemp
Perl SOAP::Lite - SOAP Server-Client Communication Module
Perl Socket Test Program for HTTP and SOAP
Perl SOAP::Lite for NumberToWords SOAP 1.1 Web Service
Perl SOAP::Lite for SOAP 1.2 Web Services
Java Socket and HttpURLConnection for SOAP
SAAJ - SOAP with Attachments API for Java
SoapUI - SOAP Web Service Testing Tool
►WS-Security - SOAP Message Security Extension
Using XML Signature and Encryption with WSS
SOAP Header Element "Security"
►What Is WS-Security Username Token Profile
SoapUI Configuration for Username Token
Generating Username Token with SoapUI
Validating wsse:Password Digest String
Password Digest Validation Program
WS-Security X.509 Certificate Token
Perl SOAP::Lite for GetSpeech SOAP 1.1 Web Service
Perl SOAP::Lite 0.710 for SOAP 1.2 Web Services
Perl SOAP::Lite 0.710 for WSDL