SyntaxFix

[web-services] Example of SOAP request authenticated with WS-UsernameToken

I'm trying to authenticate a SOAP request using WS-UsernameToken spec, but the target device is always denying access. My non-working request looks like this. (The password I'm trying to hash is system.)

<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="http://www.w3.org/2003/05/soap-envelope">
 <Header>
  <Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <UsernameToken>
      <Username>root</Username>
      <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">EVpXS/7yc/vDo+ZyIg+cc0fWdMA=</Password>
      <Nonce>tKUH8ab3Rokm4t6IAlgcdg9yaEw=</Nonce>
      <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2010-08-10T10:52:42Z</Created>
    </UsernameToken>
  </Security>
 </Header>
  <Body>
    <SomeRequest xmlns="http://example.ns.com/foo/bar" />
  </Body>
</Envelope>

What I'm looking for is a similar request example, but with authentication token that actually works. For example if you have gSOAP application that uses these token, and can generate a request and post the result here, I'd be very grateful.

This question is related to web-services soap ws-security digest usernametoken

The answer is

The core thing is to define prefixes for namespaces and use them to fortify each and every tag - you are mixing 3 namespaces and that just doesn't fly by trying to hack defaults. It's also good to use exactly the prefixes used in the standard doc - just in case that the other side get a little sloppy.

Last but not least, it's much better to use default types for fields whenever you can - so for password you have to list the type, for the Nonce it's already Base64.

Make sure that you check that the generated token is correct before you send it via XML and don't forget that the content of wsse:Password is Base64( SHA-1 (nonce + created + password) ) and date-time in wsu:Created can easily mess you up. So once you fix prefixes and namespaces and verify that yout SHA-1 work fine without XML (just imagine you are validating the request and do the server side of SHA-1 calculation) you can also do a truial wihtout Created and even without Nonce. Oh and Nonce can have different encodings so if you really want to force another encoding you'll have to look further into wsu namespace. 

<S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu= "...">
  <S11:Header>
  ...
    <wsse:Security>
      <wsse:UsernameToken>
        <wsse:Username>NNK</wsse:Username>
        <wsse:Password Type="...#PasswordDigest">weYI3nXd8LjMNVksCKFV8t3rgHh3Rw==</wsse:Password>
        <wsse:Nonce>WScqanjCEAC4mQoBE07sAQ==</wsse:Nonce>
        <wsu:Created>2003-07-16T01:24:32</wsu:Created>
      </wsse:UsernameToken>
    </wsse:Security>
  ...
  </S11:Header>
...
</S11:Envelope>

Check this one (Password should be password):

<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-6138db82-5a4c-4bf7-915f-af7a10d9ae96">
  <wsse:Username>user</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">CBb7a2itQDgxVkqYnFtggUxtuqk=</wsse:Password>
  <wsse:Nonce>5ABcqPZWb6ImI2E6tob8MQ==</wsse:Nonce>
  <wsu:Created>2010-06-08T07:26:50Z</wsu:Created>
</wsse:UsernameToken>

The Hash Password Support and Token Assertion Parameters in Metro 1.2 explains very nicely what a UsernameToken with Digest Password looks like:

Digest Password Support

The WSS 1.1 Username Token Profile allows digest passwords to be sent in a wsse:UsernameToken of a SOAP message. Two more optional elements are included in the wsse:UsernameToken in this case: wsse:Nonce and wsse:Created. A nonce is a random value that the sender creates to include in each UsernameToken that it sends. A creation time is added to combine nonces to a "freshness" time period. The Password Digest in this case is calculated as:

Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )

This is how a UsernameToken with Digest Password looks like:

<wsse:UsernameToken wsu:Id="uuid_faf0159a-6b13-4139-a6da-cb7b4100c10c">
   <wsse:Username>Alice</wsse:Username>
   <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">6S3P2EWNP3lQf+9VC3emNoT57oQ=</wsse:Password>
   <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">YF6j8V/CAqi+1nRsGLRbuZhi</wsse:Nonce>
   <wsu:Created>2008-04-28T10:02:11Z</wsu:Created>
</wsse:UsernameToken>

May be this post (Secure Metro JAX-WS UsernameToken Web Service with Signature, Encryption and TLS (SSL)) provides more insight. As they mentioned "Remember, unless password text or digested password is sent on a secured channel or the token is encrypted, neither password digest nor cleartext password offers no real additional security. "

Source: Stackoverflow.com

Examples related to web-services

How do I POST XML data to a webservice with Postman? How to send json data in POST request using C# org.springframework.web.client.HttpClientErrorException: 400 Bad Request How to call a REST web service API from JavaScript? The request was rejected because no multipart boundary was found in springboot Generating Request/Response XML from a WSDL How to send a POST request using volley with string body? How to send post request to the below post method using postman rest client How to pass a JSON array as a parameter in URL Postman Chrome: What is the difference between form-data, x-www-form-urlencoded and raw

Examples related to soap

No found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: There was no endpoint listening at (url) that could accept the message How to enable SOAP on CentOS SOAP-ERROR: Parsing WSDL: Couldn't load from - but works on WAMP SOAP vs REST (differences) SOAP request to WebService with java How to consume a SOAP web service in Java Sending SOAP request using Python Requests JSON, REST, SOAP, WSDL, and SOA: How do they all link together What is the difference between JAX-RS and JAX-WS?

Examples related to ws-security

How to add soap header in java Example of SOAP request authenticated with WS-UsernameToken JAX-WS - Adding SOAP Headers

Examples related to digest

Example of SOAP request authenticated with WS-UsernameToken

Examples related to usernametoken

Example of SOAP request authenticated with WS-UsernameToken

Tags

Ordinal-indicator Transactional Qmail Root-node Nantcontrib Jsr Haml Non-well-formed Kiosk Directory-browsing Ruby-in-steel Image-rotation Script-component Coldfusionbuilder Zend-loader Farpoint Calayer Iphone-accessory Terminfo Setup-kit System.io.fileinfo Pluggable Adler32 Response.redirect Radupload One-to-many Dimension Mod-fcgid Unittest2 Pointers Isolatedstoragefile Image-formats Ruport Custom-scrolling Padarn Urldecode Rendertargetbitmap Ilmerge Quota Django-socialauth Peer-wire-protocol Getcwd Getproperties Backgroundrb Createoleobject Nested-attributes Libavformat Psexec Iterm Logic P4merge Ihttpasynchandler Microcontroller Facebook-javascript-sdk Private-class Analytic-functions Autoresetevent Exception-logging Nav Svnbridge Icccm Adjacency-list-model Object-reference Daab Jpcap Service-name Intel-mkl Sharepoint-2003 Transaction-isolation Netflix Hpsa Forward Recaptcha Clojureclr G-wan Disaster-recovery Userinfo Schannel Windows-server-2008 Procedural-programming Autowired Discount Maya Ploneformgen Versioning Tikz Shotgun Google-talk Balance Generic-handler Wtai Mpich Android-sdcard Slimbox Ora-00911 Datepicker Solr Framework-caching Source-monitor Glui