Hi
We have a web-service resource that requires us to send the request using a security header containing a Plain-Text password but also the Nonce attribute. I can see that if we use the 'User Token - Hashed Text' security type, then the Nonce attribute is automatically included in the security header, however the request fails as the receiver is expecting a Plain-Text password rather than a PasswordDigest.
1. Is there a way of configuring the web-service adapter to include the Nonce attribute when using 'User Token - Plain Text' security type?
2. Slightly relating to this, when a 'User Token - Hashed Text' security type is used, does eBase automatically set the PasswordDigest value in the security header to the Base64 (SHA-1 (nonce + created + password)) or does this need to be done by the developer?
Cheers
WS-Security user tokens - plain and hashed
Moderators: Jon, Steve, Ian, Dave
- Jez
- Ebase User
- Posts: 31
- Joined: Thu Aug 21, 2008 11:03 am
- Location: Hampshire County Council
WS-Security user tokens - plain and hashed
0 x
--------------------------------------
Jez Hollinshead - Hampshire CC
Jez Hollinshead - Hampshire CC
-
- Moderator
- Posts: 415
- Joined: Fri Sep 07, 2007 3:44 pm
- Location: Sandy, UK
- Contact:
Re: WS-Security user tokens - plain and hashed
Hi Jez,
We use a thrid party API to implement WS-Security. This is part of the Apache CXF API:
https://cxf.apache.org/docs/ws-security.html
This handles all the WS Security automatically for us and attaches the WS-Security header.
I see that this is part of the spec, but we do not support this at the moment. I think that it is just a switch, so it would be easy to switch on.
Unfortunately you would need to add the WS-Security header manually (using header document) and generate the nonce.
I would need to add this to the enhancement request for our implementation of WS Security to support this.
In answer to your second question we automatically add the password to the header. You can use substitution parameters if you need to change the username and password:
https://hub.verj.io/ebase/doc/wss.htm#_Toc411434761
I hope this answers your question.
Kind regards
Steve
We use a thrid party API to implement WS-Security. This is part of the Apache CXF API:
https://cxf.apache.org/docs/ws-security.html
This handles all the WS Security automatically for us and attaches the WS-Security header.
I see that this is part of the spec, but we do not support this at the moment. I think that it is just a switch, so it would be easy to switch on.
Unfortunately you would need to add the WS-Security header manually (using header document) and generate the nonce.
I would need to add this to the enhancement request for our implementation of WS Security to support this.
In answer to your second question we automatically add the password to the header. You can use substitution parameters if you need to change the username and password:
https://hub.verj.io/ebase/doc/wss.htm#_Toc411434761
I hope this answers your question.
Kind regards
Steve
0 x
Who is online
Users browsing this forum: No registered users and 16 guests