SOAP Web Service Tutorials - Herong's Tutorial Examples - v5.13, by Herong Yang
Validating wsse:Password Digest String
This section provides a tutorial example on how the SOAP message receiver should validate the password digest string in the wsse:Password element using the 'Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )' definition.
Now let's take a look at the SOAP request message generated by SoapUI from the previous tutorial. The full request message listed below was copied from the "Raw" tab on the request screen. Note that extra line breaks are added for formatting purpose.
<soapenv:Envelope xmlns:ser="https://www.herongyang.com/Service/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01 /oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01 /oasis-200401-wss-wssecurity-utility-1.0.xsd" > <wsse:UsernameToken wsu:Id="UsernameToken-0109E51EF61372671214033546017912"> <wsse:Username>herong</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01 /oasis-200401-wss-username-token-profile-1.0#PasswordDigest"> PfZyE8nQQR2rAsODn7iVGaf8hD8= </wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01 /oasis-200401-wss-soap-message-security-1.0#Base64Binary"> 0TBQcVnd9H4uGi1jGxqJWg== </wsse:Nonce> <wsu:Created>2014-06-21T12:43:21.791Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <ser:HelloRequest>Hello</ser:HelloRequest> </soapenv:Body> </soapenv:Envelope>
The "wsse:Security" SOAP header element looks good.
The receiver of this request should verify the password digest "PfZyE8nQQR2rAsODn7iVGaf8hD8=" based on the "Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )" definition to authenticate that the sender is "herong":
Note that password digest has been changed to the correct value of "PfZyE8nQQR2rAsODn7iVGaf8hD8=". The value, "SjUQn7b8qSr5x4WOg9YLieSe2to=", included in the previous version of the book was incorrect. Thanks to Kumar who reported the problem.
Table of Contents
Introduction to SOAP (Simple Object Access Protocol)
SOAP Message Transmission and Processing
SOAP MEP (Message Exchange Patterns)
PHP SOAP Extension Client Programs
PHP SOAP Extension Server Programs
PHP SOAP Web Service Example - getTemp
Perl SOAP::Lite - SOAP Server-Client Communication Module
Perl Socket Test Program for HTTP and SOAP
Perl SOAP::Lite for NumberToWords SOAP 1.1 Web Service
Perl SOAP::Lite for SOAP 1.2 Web Services
Java Socket and HttpURLConnection for SOAP
SAAJ - SOAP with Attachments API for Java
SoapUI - SOAP Web Service Testing Tool
►WS-Security - SOAP Message Security Extension
Using XML Signature and Encryption with WSS
SOAP Header Element "Security"
What Is WS-Security Username Token Profile
SoapUI Configuration for Username Token
Generating Username Token with SoapUI
►Validating wsse:Password Digest String
Password Digest Validation Program
WS-Security X.509 Certificate Token
Perl SOAP::Lite for GetSpeech SOAP 1.1 Web Service
Perl SOAP::Lite 0.710 for SOAP 1.2 Web Services
Perl SOAP::Lite 0.710 for WSDL