Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Web Services Security concepts > Web Services Security concepts > Web Services Security provides message integrity, confidentiality, and authentication

Username token

We can use the <UsernameToken> element to propagate a user name and, optionally, password information. Also, you can use this token type to carry basic authentication information. Both a user name and a password are used to authenticate the SOAP message.

OASIS: Web Services Security UsernameToken Profile 1.0

A UsernameToken element containing the user name is used in identity assertion. Identity assertion establishes the identity of the user based on the trust relationship.

The following example shows the syntax of the <UsernameToken> element:

<wsse:UsernameToken wsu:Id="Example-1">
<wsse:Username>
   ...

</wsse:Username>
<wsse:Password Type="...">
   ...

</wsse:Password>
<wsse:Nonce EncodingType="...">
   ...

</wsse:Nonce>
<wsu:Created>
   ...

</wsu:Created>
</wsse:UsernameToken> 

The Web Services Security specification defines the following password types:

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText (default)

This type is the actual password for the user name.

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest

The type is the digest of the password for the user name. The value is a base64-encoded SHA1 hash value of the UTF8-encoded password.

WAS supports the default PasswordText type. However, it does not support password digest because most user registry security policies do not expose the password to the application software.

The following example illustrates the use of the <UsernameToken> element:

<S:Envelope
       xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"
       xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<S:Header>             ...
 
<wsse:Security>      
<wsse:UsernameToken>          
<wsse:Username>Joe
</wsse:Username>          
<wsse:Password>ILoveJava
</wsse:Password>      
</wsse:UsernameToken>  
</wsse:Security>
</S:Header>
</S:Envelope>

OASIS: Web Services Security UsernameToken Profile 1.1

WAS supports both Username Token Profile 1.0 and v1.1 standards.

WAS does not support the following functions:

• In both versions of the Username Token Profile specification, the digest password type is not supported

• In both versions of the Username Token Profile specification, key derivation based on a password is not supported.

We can use policy sets to configure the UsernameToken using the admin console. Also, you can use the Web Services Security APIs to attach the Username token to the SOAP message. The following figure describes the creation and validation of the Username token for the JAX-RPC and JAX-WSs.

Create and validating the Username token using the JAAS Login Module and the JAAS CallbackHandler in JAX-RPC
Username token using the JAAS Login Module and the JAAS CallbackHandler in JAX-RPC" />

Create and validating the Username token using the JAAS Login Module and the JAAS CallbackHandler in JAX-WS
Username token using the JAAS Login Module and the JAAS CallbackHandler in JAX-WS" />

The WSS API is available only when you are using the JAX-WS programming model.

On the generator side, the Username token is created by using the JAAS LoginModule and by using the JAAS CallbackHandler to pass the authentication data. The JAAS LoginModule creates the UsernameToken object and passes it to the Web Services Security run time.

On the consumer side, the Username Token XML format is passed to the JAAS LoginModule for validation or authentication, and the JAAS CallbackHandler is used to pass the authentication data from the Web Services Security run time to the JAAS LoginModule. After the token is authenticated, a UsernameToken object is created and is passed to the Web Service Security run time.

Example

The following example provides sample code for creating Username tokens:

WSSFactory factory = WSSFactory.getInstance();
   WSSGenerationContext gencont = factory.newWSSGenerationContext();

// Attach the username token to the message.
   UNTGenerationCallbackHandler ugCallbackHandler =
      newUNTGenerationCallbackHandler("alice", "ecila");
   SecurityToken ut = factory.newSecurityToken(ugCallbackHandler,
                                               UsernameToken.class);
   gencont.add(ut);

// Generate the WS-Security header gencont.process(msgctx);

Nonce, a randomly generated token
Binary security token
XML token
Security token
Web Services Security provides message integrity, confidentiality, and authentication
Configure a nonce on the server or cell level
OASIS Standard Specification Web Services Security UsernameToken Profile 1.0
OASIS Standard Specification Web Services Security UsernameToken Profile 1.1

+

Search Tips   |   Advanced Search