SOAP based WS Security User name password request is two types
Password in clear text
Password in digest form
ws security username password clear text
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-33"><wsse:Username>testuser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
ws security username password digest
Password is sent in digest form.
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-34">
<wsse:Username>testuser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">9Vy8Z0iXpass+NvXQ=</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">81GQNZ9f/3NWKyCo9n0I9w==</wsse:Nonce>
<wsu:Created>2017-05-23T12:49:29.006Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
Password digest contains four fields.
UserName
Password
Nonce
Creation Time Stamp.
Password Digest is calculated using combination of Password, Nonce value and TimeStamp.
Nonce is random generated number.
Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )
Example nonce 123456782017
timestamp 2017-05-23T12:49:29.006Z
Apply sha1 on appended value
then base64 will give Password Digest.
No comments:
Post a Comment