ws security username password


SOAP based WS Security User name password  request is two types

Password in clear text
Password in digest form

ws security username password clear text

Username and password are sent in clear text form.

 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <wsse:UsernameToken wsu:Id="UsernameToken-33"><wsse:Username>testuser</wsse:Username>
   <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
   </wsse:UsernameToken>
   </wsse:Security>


ws security username password digest

Password is sent in digest form.
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-34">
   <wsse:Username>testuser</wsse:Username>
   <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">9Vy8Z0iXpass+NvXQ=</wsse:Password>
   <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">81GQNZ9f/3NWKyCo9n0I9w==</wsse:Nonce>
   <wsu:Created>2017-05-23T12:49:29.006Z</wsu:Created>
   </wsse:UsernameToken>
   </wsse:Security>


Password digest contains four fields.
UserName 
Password
Nonce
Creation Time Stamp.

Password Digest is calculated using combination of Password, Nonce value and TimeStamp.

Nonce is random generated number.


Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )

Example nonce 123456782017
timestamp  2017-05-23T12:49:29.006Z
password dummy

Then 
Append 1234567820172017-05-23T12:49:29.006Zdummy
Apply sha1 on appended value
then base64 will give Password Digest.