What Is WS-Security Username Token Profile?
This section describes the WS-Security Username Token Profile standard describing the profile (specific mechanisms and procedures) on username and password can be passed and how to prevent replay attacks.
What Is "WS-Security Username Token Profile"?
WS-Security Username Token Profile is an OASIS specification that
describes the profile (specific mechanisms and procedures) on
how the "UsernameToken" element defined in WS-Security standard
can be used as a means of identifying the sender by "username", and optionally using a password
(or shared secret, or password equivalent) to authenticate that identity
to the SOAP message receiver.
Here are 2 options specified in WS-Security Username Token Profile 1.1.1:
"#PasswordText" Option - This is the default option, in which password is passed as clear text. This is acceptable, if the SOAP message
is dent over a secure communication channel like HTTPS. Here is an example:
<soap:Envelope xmlns:soap="..." xmlns:wsse="...">
"#PasswordDigest" Option - This is a more complex option, in which
password is passed as hash digest with "Nonce" and "Created" elements
to hide the original password and to prevent replay attacks:
<soap:Envelope xmlns:soap="..." xmlns:wsse="..." xmlns:wsu= "...">
Notes on option 2:
- Namespace "wsu" refers to the WSU (WS-Security Utility 1.0) schema located at:
- 'Type="...#PasswordDigest"' stands for
It specifies that the "Password" element contains
the digest value generated by the "#PasswordDigest" algorithm defined in the
WS-Security Username Token Profile standard.
- The "Nonce" element contains the Base64 encoded form of a random string acting like a serial number
of this SOAP message.
- The "Created" element contains the timestamp of when this SOAP message was generated.
The "#PasswordDigest" algorithm is defined by the following formula:
Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )
The receiver of the SOAP message using a "#PasswordDigest" UsernameToken should performing
validations listed below:
- Recalculate the password digest value using the same password and the same algorithm.
If the digest value does not match the "Password" content, reject this message.
This prevents anyone changing the "Nonce" or the "Created" value.
- Check the "Created" timestamp against the current time. If the "Created" timestamp is not "fresh"
like more than 5 minutes old, reject this message.
This prevents replay attacks in which someone resends the same message again to the receiver later in time.
- Check the "Nonce" value against old "Nonce" values received recently.
If the "Nonce" value matches an old "Nonce" value, reject this message.
This prevents replay attacks in which someone resends the same message again immediately.
For more information, see the full specification at
Last update: 2014.
Table of Contents
About This Book
Introduction to Web Service
Introduction to SOAP (Simple Object Access Protocol)
SOAP Message Structure
SOAP Message Transmission and Processing
SOAP Data Model
SOAP RPC Presentation
SOAP Properties Model
SOAP Message Exchange Patterns
SOAP HTTP Binding
SOAP Perl Implementations
SOAP PHP Implementations
SOAP Java Implementations
Perl SOAP::Lite - SOAP Server-Client Communication Module
Perl Socket Test Program for HTTP and SOAP
Perl SOAP::Lite for GetSpeech SOAP 1.1 Web Service
Perl SOAP::Lite 0.710 for SOAP 1.2 Web Services
Perl SOAP::Lite 0.710 for WSDL
PHP SOAP Extension Client Programs
PHP SOAP Extension Server Programs
Java Socket and HttpURLConnection for SOAP
SAAJ - SOAP with Attachments API for Java
SoapUI - SOAP Web Service Testing Tool
►WS-Security - SOAP Message Security Extension
What Is WS-Security (WSS)?
Using XML Signature and Encryption with WSS
SOAP Header Element "Security"
►What Is WS-Security Username Token Profile?
SoapUI Configuration for Username Token
Generating Username Token with SoapUI
Validating wsse:Password Digest String
Password Digest Validation Program
WS-Security X.509 Certificate Token
Web Services and SOAP Terminology
PDF Printing Version