What Is WS-Security Username Token Profile?

This section describes the WS-Security Username Token Profile standard describing the profile (specific mechanisms and procedures) on username and password can be passed and how to prevent replay attacks.

What Is "WS-Security Username Token Profile"? WS-Security Username Token Profile is an OASIS specification that describes the profile (specific mechanisms and procedures) on how the "UsernameToken" element defined in WS-Security standard can be used as a means of identifying the sender by "username", and optionally using a password (or shared secret, or password equivalent) to authenticate that identity to the SOAP message receiver.

Here are 2 options specified in WS-Security Username Token Profile 1.1.1:

"#PasswordText" Option - This is the default option, in which password is passed as clear text. This is acceptable, if the SOAP message is dent over a secure communication channel like HTTPS. Here is an example:

<soap:Envelope xmlns:soap="..." xmlns:wsse="...">
<soap:Header>
   <wsse:Security>
      <wsse:UsernameToken>
         <wsse:Username>herong</wsse:Username>
         <wsse:Password>IloveDogs</wsse:Password>
      </wsse:UsernameToken>
   </wsse:Security>
</soap:Header>
...
</soap:Envelope>

"#PasswordDigest" Option - This is a more complex option, in which password is passed as hash digest with "Nonce" and "Created" elements to hide the original password and to prevent replay attacks:

<soap:Envelope xmlns:soap="..." xmlns:wsse="..." xmlns:wsu= "...">
<soap:Header>
   <wsse:Security>
      <wsse:UsernameToken>
         <wsse:Username>NNK</wsse:Username>
         <wsse:Password Type="...#PasswordDigest">
            weYI3nXd8LjMNVksCKFV8t3rgHh3Rw==</wsse:Password>
         <wsse:Nonce>WScqanjCEAC4mQoBE07sAQ==</wsse:Nonce>
         <wsu:Created>2003-07-16T01:24:32Z</wsu:Created>
      </wsse:UsernameToken>
   </wsse:Security>
</soap:Header>
</soap:Envelope>

Notes on option 2:

The "#PasswordDigest" algorithm is defined by the following formula:

Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )

The receiver of the SOAP message using a "#PasswordDigest" UsernameToken should performing validations listed below:

For more information, see the full specification at http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf

Last update: 2014.

Table of Contents

 About This Book

 Introduction to Web Service

 Introduction to SOAP (Simple Object Access Protocol)

 SOAP Message Structure

 SOAP Message Transmission and Processing

 SOAP Data Model

 SOAP Encoding

 SOAP RPC Presentation

 SOAP Properties Model

 SOAP Message Exchange Patterns

 SOAP HTTP Binding

 SOAP Perl Implementations

 SOAP PHP Implementations

 SOAP Java Implementations

 Perl SOAP::Lite - SOAP Server-Client Communication Module

 Perl Socket Test Program for HTTP and SOAP

 Perl SOAP::Lite for GetSpeech SOAP 1.1 Web Service

 Perl SOAP::Lite 0.710 for SOAP 1.2 Web Services

 Perl SOAP::Lite 0.710 for WSDL

 PHP SOAP Extension Client Programs

 PHP SOAP Extension Server Programs

 Java Socket and HttpURLConnection for SOAP

 SAAJ - SOAP with Attachments API for Java

 SoapUI - SOAP Web Service Testing Tool

WS-Security - SOAP Message Security Extension

 What Is WS-Security (WSS)?

 Using XML Signature and Encryption with WSS

 SOAP Header Element "Security"

What Is WS-Security Username Token Profile?

 SoapUI Configuration for Username Token

 Generating Username Token with SoapUI

 Validating wsse:Password Digest String

 Password Digest Validation Program

 WS-Security X.509 Certificate Token

 Web Services and SOAP Terminology

 References

 PDF Printing Version