WS-Security user tokens - plain and hashed

Post any questions you have about using the Verj.io Studio, including client and server-side programming with Javascript or FPL, and integration with databases, web services etc.

Moderators: Jon, Steve, Ian, Dave

User avatar
Jez
Ebase User
Posts: 31
Joined: Thu Aug 21, 2008 11:03 am
Location: Hampshire County Council

WS-Security user tokens - plain and hashed

#1

Postby Jez » Thu Jul 09, 2020 10:41 am

Hi

We have a web-service resource that requires us to send the request using a security header containing a Plain-Text password but also the Nonce attribute. I can see that if we use the 'User Token - Hashed Text' security type, then the Nonce attribute is automatically included in the security header, however the request fails as the receiver is expecting a Plain-Text password rather than a PasswordDigest.

1. Is there a way of configuring the web-service adapter to include the Nonce attribute when using 'User Token - Plain Text' security type?

2. Slightly relating to this, when a 'User Token - Hashed Text' security type is used, does eBase automatically set the PasswordDigest value in the security header to the Base64 (SHA-1 (nonce + created + password)) or does this need to be done by the developer?

Cheers
0 x
--------------------------------------
Jez Hollinshead - Hampshire CC

Steve
Moderator
Moderator
Posts: 414
Joined: Fri Sep 07, 2007 3:44 pm
Location: Sandy, UK
Contact:

Re: WS-Security user tokens - plain and hashed

#2

Postby Steve » Thu Jul 09, 2020 1:21 pm

Hi Jez,

We use a thrid party API to implement WS-Security. This is part of the Apache CXF API:

https://cxf.apache.org/docs/ws-security.html

This handles all the WS Security automatically for us and attaches the WS-Security header.

I see that this is part of the spec, but we do not support this at the moment. I think that it is just a switch, so it would be easy to switch on.

Unfortunately you would need to add the WS-Security header manually (using header document) and generate the nonce.

I would need to add this to the enhancement request for our implementation of WS Security to support this.

In answer to your second question we automatically add the password to the header. You can use substitution parameters if you need to change the username and password:

https://hub.verj.io/ebase/doc/wss.htm#_Toc411434761

I hope this answers your question.

Kind regards

Steve
0 x


Who is online

Users browsing this forum: No registered users and 15 guests