SOAP Web Service Tutorials - Herong's Tutorial Examples - Version 5.02, by Dr. Herong Yang
Validating wsse:Password Digest String
This section provides a tutorial example on how the SOAP message receiver should validate the password digest string in the wsse:Password element using the 'Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )' definition.
Now let's take a look at the SOAP request message generated by SoapUI from the previous tutorial. The full request message listed below was copied from the "Raw" tab on the request screen. Note that extra line breaks are added for formatting purpose.
<soapenv:Envelope xmlns:ser="http://www.herongyang.com/Service/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01 /oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01 /oasis-200401-wss-wssecurity-utility-1.0.xsd" > <wsse:UsernameToken wsu:Id="UsernameToken-0109E51EF61372671214033546017912"> <wsse:Username>herong</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01 /oasis-200401-wss-username-token-profile-1.0#PasswordDigest"> PfZyE8nQQR2rAsODn7iVGaf8hD8= </wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01 /oasis-200401-wss-soap-message-security-1.0#Base64Binary"> 0TBQcVnd9H4uGi1jGxqJWg== </wsse:Nonce> <wsu:Created>2014-06-21T12:43:21.791Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <ser:HelloRequest>Hello</ser:HelloRequest> </soapenv:Body> </soapenv:Envelope>
The "wsse:Security" SOAP header element looks good.
The receiver of this request should verify the password digest "PfZyE8nQQR2rAsODn7iVGaf8hD8=" based on the "Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )" definition to authenticate that the sender is "herong":
Note that password digest has been changed to the correct value of "PfZyE8nQQR2rAsODn7iVGaf8hD8=". The value, "SjUQn7b8qSr5x4WOg9YLieSe2to=", included in the previous version of the book was incorrect. Thanks to Kumar who reported the problem.
Last update: 2015.
Table of Contents