Example of SOAP request authenticated with WS-UsernameToken

Question

I m trying to authenticate a SOAP request using WS-UsernameToken spec  but the target device is always denying access  My non-working request looks like this   The password I m trying to hash is system     lt  xml version  1 0  encoding  UTF-8   gt   lt Envelope xmlns  http   www w3 org 2003 05 soap-envelope  gt    lt Header gt     lt Security xmlns  http   docs oasis-open org wss 2004 01 oasis-200401-wss-wssecurity-secext-1 0 xsd  gt       lt UsernameToken gt         lt Username gt root lt  Username gt         lt Password Type  http   docs oasis-open org wss 2004 01 oasis-200401-wss-username-token-profile-1 0 PasswordDigest  gt EVpXS 7yc vDo ZyIg cc0fWdMA  lt  Password gt         lt Nonce gt tKUH8ab3Rokm4t6IAlgcdg9yaEw  lt  Nonce gt         lt Created xmlns  http   docs oasis-open org wss 2004 01 oasis-200401-wss-wssecurity-utility-1 0 xsd  gt 2010-08-10T10 52 42Z lt  Created gt       lt  UsernameToken gt     lt  Security gt    lt  Header gt     lt Body gt       lt SomeRequest xmlns  http   example ns com foo bar    gt     lt  Body gt   lt  Envelope gt    What I m looking for is a similar request example  but with authentication token that actually works  For example if you have gSOAP application that uses these token  and can generate a request and post the result here  I d be very grateful

User · Answer

Check this one  Password should be password     lt wsse UsernameToken xmlns wsu  http   docs oasis-open org wss 2004 01 oasis-200401-wss-wssecurity-utility-1 0 xsd  wsu Id  SecurityToken-6138db82-5a4c-4bf7-915f-af7a10d9ae96  gt     lt wsse Username gt user lt  wsse Username gt     lt wsse Password Type  http   docs oasis-open org wss 2004 01 oasis-200401-wss-username-token-profile-1 0 PasswordDigest  gt CBb7a2itQDgxVkqYnFtggUxtuqk  lt  wsse Password gt     lt wsse Nonce gt 5ABcqPZWb6ImI2E6tob8MQ   lt  wsse Nonce gt     lt wsu Created gt 2010-06-08T07 26 50Z lt  wsu Created gt   lt  wsse UsernameToken gt

User · Answer

The core thing is to define prefixes for namespaces and use them to fortify each and every tag - you are mixing 3 namespaces and that just doesn t fly by trying to hack defaults  It s also good to use exactly the prefixes used in the standard doc - just in case that the other side get a little sloppy   Last but not least  it s much better to use default types for fields whenever you can - so for password you have to list the type  for the Nonce it s already Base64   Make sure that you check that the generated token is correct before you send it via XML and don t forget that the content of wsse Password is Base64  SHA-1  nonce   created   password    and date-time in wsu Created can easily mess you up  So once you fix prefixes and namespaces and verify that yout SHA-1 work fine without XML  just imagine you are validating the request and do the server side of SHA-1 calculation  you can also do a truial wihtout Created and even without Nonce  Oh and Nonce can have different encodings so if you really want to force another encoding you ll have to look further into wsu namespace     lt S11 Envelope xmlns S11       xmlns wsse       xmlns wsu        gt     lt S11 Header gt             lt wsse Security gt         lt wsse UsernameToken gt           lt wsse Username gt NNK lt  wsse Username gt           lt wsse Password Type      PasswordDigest  gt weYI3nXd8LjMNVksCKFV8t3rgHh3Rw   lt  wsse Password gt           lt wsse Nonce gt WScqanjCEAC4mQoBE07sAQ   lt  wsse Nonce gt           lt wsu Created gt 2003-07-16T01 24 32 lt  wsu Created gt         lt  wsse UsernameToken gt       lt  wsse Security gt           lt  S11 Header gt       lt  S11 Envelope gt

User · Answer

May be this post  Secure Metro JAX-WS UsernameToken Web Service with Signature  Encryption and TLS  SSL   provides more insight  As they mentioned  Remember  unless password text or digested password is sent on a secured channel or the token is encrypted  neither password digest nor cleartext password offers no real additional security

User · Answer

The Hash Password Support and Token Assertion Parameters in Metro 1 2 explains very nicely what a  UsernameToken with Digest Password looks like      Digest Password Support      The WSS 1 1 Username Token   Profile allows digest passwords to   be sent in a wsse UsernameToken of a   SOAP message  Two more optional   elements are included in the   wsse UsernameToken in this case    wsse Nonce and wsse Created  A   nonce is a random value that the   sender creates to include in each   UsernameToken that it sends  A   creation time is added to combine   nonces to a  freshness  time period    The Password Digest in this case is   calculated as   Password Digest   Base64   SHA-1   nonce   created   password           This is how a UsernameToken with   Digest Password looks like    lt wsse UsernameToken wsu Id  uuid faf0159a-6b13-4139-a6da-cb7b4100c10c  gt      lt wsse Username gt Alice lt  wsse Username gt      lt wsse Password Type  http   docs oasis-open org wss 2004 01 oasis-200401-wss-username-token-profile-1 0 PasswordDigest  gt 6S3P2EWNP3lQf 9VC3emNoT57oQ  lt  wsse Password gt      lt wsse Nonce EncodingType  http   docs oasis-open org wss 2004 01 oasis-200401-wss-soap-message-security-1 0 Base64Binary  gt YF6j8V CAqi 1nRsGLRbuZhi lt  wsse Nonce gt      lt wsu Created gt 2008-04-28T10 02 11Z lt  wsu Created gt   lt  wsse UsernameToken gt

[web-services] Example of SOAP request authenticated with WS-UsernameToken

Examples related to web-services

Examples related to soap

Examples related to ws-security

Examples related to digest

Examples related to usernametoken