Web Services Security

Documentation home 

 

WS-Security. 1

Introduction. 1

User Token – Plain Text 2

User Token – Hashed Text 3

WSS Timestamp. 3

Http Security. 4

Introduction. 4

Using Http Basic Authentication. 4

Using Http NTLM Authentication. 5

 

WS-Security

Introduction

To configure WS-Security for a Web Services Resource, open the Web Services Resource, select the Web Service Adapter under adapters, click the WSS icon  on the toolbar, then select the WS-Security tab. The Web Services Adapter supports Username Tokens and Timestamps from the OASIS WS-Security specification.

 

 

 

 

Three types of WS-Security header are supported and can be added:

 

 

For more information regarding WS-Security protocol, please refer to the OASIS WS-Security specification.

User Token – Plain Text

This token supports basic username and password authentication when a web service is invoked. If the client username and password does not match the integration web service username and password, a SOAP Fault is returned back to the client. This method of authentication supports both plain text and hashed text passwords.

 

Username

User name. Substitutable field and environment field variables can be used starting with “&&” e.g. &&$ENV_USERXX.

Password

Password. Substitutable field and environment field variables can be used as above.

Confirm password

Same as password

 

User Token – Hashed Text

This is the same as the plain text token above except that the password is encrypted using the SHA-1 hashing algorithm. The example below shows the SOAP Message sent to the server using this token:

 

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

   <soap:Header>

      <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/ wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

         <wsse:UsernameToken wsu:Id="UsernameToken-21382323" xmlns:wsse="http://docs.o asis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0. xsd">

            <wsse:Username xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-2004 01-wss-wssecurity-secext-1.0.xsd">username</wsse:Username>

            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss -username-token-profile-1.0#PasswordDigest" xmlns:wsse="http://docs.oasis-open.o rg/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">XiznkRuKWEkq0hdHL/nzL S2XojI=</wsse:Password>

            <wsse:Nonce xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401- wss-wssecurity-secext-1.0.xsd">9C3KP/T0s7vQlXHcfgN4VQ==</wsse:Nonce>

            <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401- wss-wssecurity-utility-1.0.xsd">2006-12-08T16:00:04.297Z</wsu:Created>

         </wsse:UsernameToken>

      </wsse:Security>

   </soap:Header>

   <soap:Body>

       ……

   </soap:Body>

</soap:Envelope>

 

WSS Timestamp 

This token supports the ability to set an expiry time on the web service call. If a request is received from the client that is ‘out-of-date’ then a standard web SOAP Fault is returned to the client stating that the web service call has expired.

 

Timestamp duration

Enter the time in seconds or milliseconds depending on the timestamp precision attribute

Timestamp precision

If checked, the above field is entered in milliseconds, if unchecked in seconds

 

The example below shows the SOAP Message sent to the server using Timestamp authentication set to 10 seconds before expiry:

 

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

   <soap:Header>

      <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/ wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

         <wsu:Timestamp wsu:Id="Timestamp-9611746" xmlns:wsu="http://docs.oasis-open.o rg/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

            <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401- wss-wssecurity-utility-1.0.xsd">2006-12-08T17:02:51.287Z</wsu:Created>

            <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401- wss-wssecurity-utility-1.0.xsd">2006-12-08T17:03:01.287Z</wsu:Expires>

         </wsu:Timestamp>

      </wsse:Security>

   </soap:Header>

   <soap:Body>

       ……

   </soap:Body>

</soap:Envelope>

 

Http Security

Introduction

The Ebase web services adapter supports HTTP Basic Authorization security in accordance to the W3C Http/1.0 Protocol.

 

Using Http Basic Authentication

Http Basic authorization is a HTTP/1.0 standard used by web servers to authenticate a client to allow access to particular web applications. Http basic authentication adds the username and password as an encrypted string to the HTTP Header. If the username is ‘bill’ and the password is ‘mypass’, the following HTTP Header is added to the HTTP Request:

 

Authorization: Basic YmlsbDpteXBhc3M=

 

To configure Http-Security for a Web Services Resource, open the Web Services Resource, select the Web Service Adapter under adapters, click the WSS icon  on the toolbar, then select the Http-Security tab. 

 

 

1)     Select Enable Http Authentication.

2)     Enter the username.  This value supports substitutable parameters. See substitutable parameters section for more details.

3)     Enter the password.  This value supports substitutable parameters. See substitutable parameters section for more details.

4)     Confirm the password.

5)     Click OK Button.

Using Http NTLM Authentication

NTLM (NT LAN Manager) is a Microsoft authentication protocol. NTLM authentication is configured in exactly the same as Http Basic Authentication, except that the domain name is included as part of the username. The username must be entered as <domain-name>\<username>.