Encrypting wsse:Username?

Is there a standard way of encrypting both the "wsse:Username" and "wsse:Password" elements of a SOAP message?
Please let me be VERY specific, here. I do not want to encrypt the BODY of the message, nor do I want to encrypt the entire SOAP message or use HTTPS (unless there isn't any other way to do this). All I want to do is encrypt the "wsse:Username" in the same fashion that the "wsse:Password" is encrypted.
Here's what the relevant bits in my SOAP header look like right now:
<wsse:Username>cerebra</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-use
rname-token-profile-1.0#PasswordText">****</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
s-soap-message-security-1.0#Base64Binary">pkvlc1gx6zThR3k6cq2CFFYI</wsse:Nonce>
Here's what I'd like them to look like, if possible:
<wsse:Username Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-use
rname-token-profile-1.0#UsernameText">****</wsse:Username>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
s-soap-message-security-1.0#Base64Binary">pkvlc1gx6zThR3k6cq2CFFYI</wsse:Nonce>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-use
rname-token-profile-1.0#PasswordText">****</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws
s-soap-message-security-1.0#Base64Binary">pkvlc1gx6zThR3k6cq2CFFYI</wsse:Nonce>
I've played around with the examples in the JWSDP 2.0 "xws-security" directory, and none of them seem to do what I want. The one that did look promising ("encrypt-usernameToken-client.xml") does not -- repeat: DOES NOT! -- work. It throws an exception on the "Target" element supplied with the example:
<xwss:Target type="uri">#username-token</xwss:Target>
I tried permutations on "#username-token" but none of them worked. Anyone out there have an easy (relatively speaking :-) answer to this?

Answered my own question, with virtually no assistance from the brain-damaged JAXRPC-WS documentation. As is usual with XWS, no promises that this will work for you. Your mileage is virtually guaranteed to vary.
Client-side configuration:
<xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service>
<xwss:SecurityConfiguration dumpMessages="true">
<xwss:UsernameToken id="username-token" digestPassword="false"/>
<xwss:Encrypt>
<xwss:X509Token certificateAlias="youraliasgoeshere"/>
<xwss:KeyEncryptionMethod
algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<xwss:DataEncryptionMethod
algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<xwss:Target type="xpath">//SOAP-ENV:Body</xwss:Target>
<xwss:Target type="uri">#username-token</xwss:Target>
</xwss:Encrypt>
</xwss:SecurityConfiguration>
</xwss:Service>
<xwss:SecurityEnvironmentHandler>
com.whatever.ClientAuthenticationHandler
</xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>
Server-side configuration:
<xwss:JAXRPCSecurity xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:Service>
<xwss:SecurityConfiguration dumpMessages="true">
<xwss:RequireEncryption>
<xwss:Target type="uri">#username-token</xwss:Target>
<xwss:Target type="xpath">//SOAP-ENV:Body</xwss:Target>
</xwss:RequireEncryption>
<xwss:RequireUsernameToken passwordDigestRequired="false"/>
<xwss:Encrypt>
<xwss:X509Token certificateAlias="youraliasgoeshere"/>
<xwss:KeyEncryptionMethod
algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<xwss:DataEncryptionMethod
algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
</xwss:Encrypt>
</xwss:SecurityConfiguration>
</xwss:Service>
<xwss:SecurityEnvironmentHandler>
com.whatever.ServerAuthenticationHandler
</xwss:SecurityEnvironmentHandler>
</xwss:JAXRPCSecurity>
Didn't want to be a member of this high priesthood... but it looks like I'm being forced into it. (*sigh*).
Jerry H.

Similar Messages

Encrypt the username and Password in URL

Hi
My requirement is to encrypt the Password in the URL.
http://Server_name/analytics/saw.dll?NQUser=Administrator&NQPassword=*Administrator*.
Here My URL should look like this.
http://Server_name/analytics/saw.dll?NQUser=Administrator&NQPassword=*encrypted password*.

Hi in what situation you need this?, actually this is not a good practice to expose the user name and password over the URL. Better to force the user to login and then continue.
If the user already logged in and while clicking you need to do a navigation then no need of passing username or password.
Edited by: Ugser on Sep 7, 2009 8:08 AM

How to encrypt username and password before transmit on client side

I want to encrypt the username and password at client side when user login to my page first and then send to server.
Could anybody tell me how to do it?
Thanks a lot.

Yup , What suggested is true...
The HTTPs authentication type is mainly for encrypting..
This is an extract from the book i have which states how you can do that...
UNDERSTANDING AUTHENTICATION MECHANISMS
HTTPS Client authentication :
HTTPS is HTTP over SSL (Secure Socket Layer). SSL is a protocol developed by
Netscape to ensure the privacy of sensitive data transmitted over the Internet. In this
mechanism, authentication is performed when the SSL connection is established
between the browser and the server. All the data is transmitted in the encrypted form
using public-key cryptography, which is handled by the browser and the servlet container
in a manner that is transparent to the servlet developers. The exam doesn�t
require you to know the details of this mechanism.
Advantages
The advantages of HTTPS Client authentication are
� It is the most secure of the four types.
� All the commonly used browsers support it.
1 Actually, instead of the password, an MD5 digest of the password is sent. Please refer to RFC 1321 for
more information.
Disadvantages
The disadvantages of HTTPS Client authentication are
� It requires a certificate from a certification authority, such as VeriSign.
� It is costly to implement and maintain.

Storing encrypted username and password along with the Key into Windows Keystore

I have a WPf application and I need to allow the user to enter the username and password. Username and Password should be encrypted and store them with the key into the windows Keystore. I used the Cryptography class to encrypt the username and password but
I am not sure how to store them in the Windows Key Store.
This login is used for configuration purpose only. User enters and it is saved into the clients machine. As long these credentials are correct, we are going to allow this machine to call another API to download files.
I would really appreciate for any sample code. Basically, I need to store them in the registry and be able to call them to verify.

Data encryption and key management is certainly not a WPF topic so you are in the wrong forum but you could take a look at the ProtectedData class:
https://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx.
It provides methods for encrypting and decrypting data on user or machine level. Please refer to the following link for more information:
http://stackoverflow.com/questions/4967325/best-way-to-store-encryption-keys-in-net-c-sharp
Here is another link on the subject that may be helpful:
http://stackoverflow.com/questions/7459069/where-to-store-sensitive-information-needed-for-an-application-to-run
Please remember to mark helpful posts as answer to close your threads.

WSS without incoming/outgoing signature or encryption

Hi all,
I have got a problem with the SOAP receiver adapter on PI 7.1. If have configured the securtiy profile: Web Services Security on the SOAP receiver adapter. On the related receiver agreements I have chosen the Oasis security standard. As request and response security procedure I had to quote none since the adessed web service supports neither signing nor encryption.
On sending my message to the web service I'm getting the following response:
Delivering the message to the application using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: SOAP: response message contains an error XIAdapter/PARSING/ADAPTER.SOAP_EXCEPTION - soap fault: WSDoAllReceiver: Incoming message does not contain required Security header.
Is the anything I might have missed? Does the SOAP receiver adapter support the quoted constallation of security parameters?
Kind regards,
Heiko

Hello RK,
the header is the following (I have changed the username and digest):
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:gas="http://gas-xml.de/3.2/gas-x-ws">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>anyuser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">anydigest</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">anydigest<wsse:Nonce>
<wsu:Created>2011-08-16T13:41:59.607Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
Kind regards,
Heiko
PS: I was able to send the message to the target system by applying an xslt mapping in order to manipulate the SOAP header.

Using Encrypt Policy in OSB

HI,
I am struggling to enforce inbound message level security at the proxy service level.
I just wanted to encrypt the request and response payload of the proxy service .
I have tried all my best and added encrypt policy to request and response at the policy tab of proxy service.
Please guide me how to enforce it .
Abhinav

Anuj ,
i am using self signed certificate for service key provider.
My request :
<soapenv:Envelope xmlns:prox="http://in.abhinav/ProxyPayload_Master" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-6" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>weblogic</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">weblogic123</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">za2EsbtNUse5t2Y9DjL9jA==</wsse:Nonce>
<wsu:Created>2012-01-16T06:57:06.769Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<prox:SendOperationRequest>
<username>?</username>
<password>?</password>
<mobilePhoneNumber>?</mobilePhoneNumber>
<vouchernumber>?</vouchernumber>
</prox:SendOperationRequest>
</soapenv:Body>
</soapenv:Envelope>
Resposne :
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>Could not validate encryption against any of the supported token types</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>

Web service security: Unable to extract username / password from soapheader

Hi All,
For a webservice, we have implemented basic authentication (plain text password) using jdeveloper wizard. We are successfully getting the textbox for username and password. However, the problem is when trying to extract the username and password from the soapHeader on the server side.
Here is the soap message:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.dubaitrade.ae"><soap:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" mustUnderstand="1"><wsse:UsernameToken><wsse:Username>testuser</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">testpass</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header>
<soap:Body>
<ns:processValidateCust>
<paymentMethod>cash</paymentMethod>
</ns:processValidateCust>
</soap:Body>
</soap:Envelope>
Here is the sample java file:
public class ValidateCustImpl implements javax.xml.rpc.server.ServiceLifecycle {
ServletEndpointContext ctx;
public String processValidateCust(String paymentMethod) {
if (ctx != null) {
SOAPMessageContext context =
(SOAPMessageContext)ctx.getMessageContext();
try {
SOAPHeader header =
context.getMessage().getSOAPPart().getEnvelope().getHeader();
System.out.println(header.getNamespaceURI() + " " +header.toString());
} catch (SOAPException x) {
System.out.println("Exception" + x);
x.printStackTrace();
Here is the output:
NamespaceURI for header is:http://schemas.xmlsoap.org/soap/envelope/
and the header is:<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"/>
However, if i "Inspect" the header in "debug" mode in jdev, i do see the strings i had passed.
Name Value Type
- header soap:Header Header11
+ headerExtensionContext HeaderExtensionContext
defaultNs null String
name null Name
childrenNeedUpdate false boolean
nodeId 21474836507 long
flags 1 int
- data Object[1024]
 + [43] wsse:Security HeaderElement11
+ [44] xmlns:wsse QxName
+ [45] "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" String
+ [46] XMLAttr
+ [49] wsse:Security HeaderElement11
+ [50] mustUnderstand QxName
+ [51] "1" String
+ [55] wsse:Security HeaderElement11
+ [56] wsse:UsernameToken QxName
- [60] wsse:Username Element11
defaultNs null String
name null Name
childrenNeedUpdate false boolean
nodeId 42949673023 long
flags 1 int
+ data Object[1024]
+ [61] wsse:Password Element11
+ [63] wsse:UsernameToken Element11
+ [64] wsse:Username QxName
+ [66] wsse:Password Element11
+ [68] TextImpl
+ [69] TextImpl
+ [71] wsse:Username Element11
+ [72] "testuser" char[3]
+ [75] wsse:UsernameToken Element11
Any idea how do i extract this username from the header?
TIA,
abbas

Can someone help here please?

Calling A Secured webservice using Username and password in the Soap header

I want to call a secured webservice.
The Username and password should be sent with the payload in the SOAP Header
as
<wsse:Security S:mustunderstand="0" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="SecurityToken-XXXXXXXXXXXXXXXXXXXXXXXXX" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>uname</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">pwd</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
Can you please send me the steps?
I tried with giving the username and password under Service Account.
I tried to create a wspolicy under business service. But nothing works...
Please help me at the earliest.
Also please give me steps in sequence.

Now i made sure that the endpoint is available!
Now am getting this error:
<soapenv:Fault>
<faultcode>soapenv:Server</faultcode>
<faultstring>BEA-380002: localhost1</faultstring>
<detail>
<con:fault xmlns:con="http://www.bea.com/wli/sb/context">
<con:errorCode>BEA-380002</con:errorCode>
<con:reason>localhost1</con:reason>
<con:location>
<con:node>RouteNode1</con:node>
<con:path>request-pipeline</con:path>
</con:location>
</con:fault>
</detail>
</soapenv:Fault>
Also in the invocation trace i can observe the following things:
Under Invocation Trace:-
========================
 Receiving request =====> Initial Message context
 ===============================================
 under added header:-
 ==================
 <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
 </soap:Header>
 under RouteNode1
================
 Route to "TargetMyService_BS"
$header (request):-
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
</soap:Header>
Under Message Context changes:-
*===============================*
I can find this element also:-
con:security>
*<con:doOutboundWss>false</con:doOutboundWss>*
*</con:security>*
eventhough we enabled ws security, how the above tag can be false?
I think its getting failed to populate the header with the required login credentials.
The other doubt i have is:-
=================
I have chosen the service account type is static...is this right?

Username and password token retrieval from SOAP web services

We are implementing one JAX-WS Web services which requires to retrieve the username and password in SOAP header elements and use those for further use/processing.
When we are retrieving username/password it’s coming as null. Please help ...
if (Boolean.FALSE.equals(context.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY))) {
try {
SOAPMessage sm = context.getMessage();
//SOAPEnvelope envelope = context.getMessage().getSOAPPart().getEnvelope();
SOAPEnvelope envelope = sm.getSOAPPart().getEnvelope();
SOAPHeader sh = envelope.getHeader();
System.out.println("Message: "+envelope);
System.out.println("Envelope: "+envelope);
System.out.println("Header: "+sh.toString());
Iterator it = sh.examineAllHeaderElements();
while(it.hasNext()){
System.out.println(it.next());
String username;
username = sh.getAttribute("Username");
// username = sh.getAttributeValue("Username");
//String password = sh.getAttribute("Password");
System.out.println("uid:"+username);
//System.out.println("pass: "+password);
context.put("Username", username);
//context.put("Passsword", password);
// default scope is HANDLER (i.e., not readable by SEI
// implementation)
context.setScope("Username", MessageContext.Scope.APPLICATION);

<S12:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu= "...">
<S12:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>TestUser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">TestPassword</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</S12:Header>
</S12:Envelope>

Sending WSSE security headers to non-weblogic web service

I have been trying to send wsse headers to a non-weblogic web service. I am looking for a way to do this using the control file I generated from the wsdl or the page flow where I implement the control, or the message handler file. I have username and password parameters but I cannot get this to function.
Here is the signature I need:
<?xml version="1.0" encoding="UTF-8" ?>
- <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <env:Header>
- <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
- <wsse:UsernameToken wsu:Id="Id-dFQDZm_34ewPYtaARIJ_4BfI" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>weblogic</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">weblogic</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</env:Header>
- <env:Body>
<n1:hello xmlns:n1="http://workshop.bea.com/WebServiceB" />
</env:Body>
</env:Envelope>
Of course the Body is different, but this is the security signature that I need to get into the header. After looking at all the examples, I only see the option of using a java proxy class to call the web service, which would be a little difficult to use as my whole page flow application so far is calling the web service from a generated control. There are also lots of coplex datatypes that are being sent to the web service so a jave proxy would be a little difficult. I have tried to take the code from the java proxy class example and put it in my handler class, but the handler seems to only use MessageContext, not WebServiceContext and will not let me add the username password tokens. When I have tried to case a WebServiceContext out of a MessageContext, it gives me a runtime error "Class Cast Exception" even though workshop lets me do it.
This is extremely urgent. Please help me! I am using the sample handler class called MessageHandler.java and the sample WSSE java proxy class called WebServiceBClient.java that generated the above signature.

More information:
Here is the first part of my Java Control where I am calling the web service and the message handler:
package controls;
* @jc:location http-url="http://localhost:7001/Checking.jws"
* @jc:wsdl file="#CheckingWsdl"
* @jc:handler callback="MessageHandler" operation="MessageHandler"
public interface CheckingService extends com.bea.control.ControlExtension, com.bea.control.ServiceControl
public static class CustomerInfo
implements java.io.Serializable
public java.lang.String FirstName;
public java.lang.String LastName;
public java.lang.String MiddleName;
public int SSN;
public int CustomerNumber;
public java.util.Calendar CreationDate;
public java.util.Calendar LastModifiedDate;
public static class FundingInfo
implements java.io.Serializable
public float Amount;
public java.util.Calendar CurrentDate;
public int AccountNumber;
public static class anyType
implements java.io.Serializable
public com.bea.xml.XmlObject[] t;
public static class AccountInfo
implements java.io.Serializable
public int AccountNumber;
public float Balance;
public int CustomerNumber;
public java.util.Calendar LastModifiedDate;
* @jc:protocol form-post="false" form-get="false"
public AccountInfo CreateAccountChecking (CustomerInfo CustomerInfo, FundingInfo FundingInfo, anyType CommonHeader);
static final long serialVersionUID = 1L;
Here is the section of the MessageHandler class where I am attempting to add security token to the header:
protected void addSecurityHeader (MessageContext mc)
* Registers a handler for the SOAP message traffic.
HandlerRegistry registry = mc.getHandlerRegistry();
List list = new ArrayList();
list.add(new HandlerInfo(WSSEClientHandler.class, null, null));
registry.setHandlerChain(new QName("hello"), list);
try
WebServiceContext context = (WebServiceContext)WebServiceContext.currentContext().getLastMessageContext();
//(WebServiceContext)mc;
WebServiceSession session = context.getSession();
* Set the username and password token for SOAP message sent from the client, through
* the proxy, to the web service.
UserInfo ui = new UserInfo("weblogic", "weblogic");
session.setAttribute(WSSEClientHandler.REQUEST_USERINFO, ui);
//mc.setProperty(WSSEClientHandler.REQUEST_USERINFO, ui);
* Adds the username / password token to the SOAP header.
SecurityElementFactory factory = SecurityElementFactory.getDefaultFactory();
Security security = factory.createSecurity(null);
security.addToken(ui);
session.setAttribute(WSSEClientHandler.REQUEST_SECURITY, security);
//mc.setProperty(WSSEClientHandler.REQUEST_SECURITY, security);
} catch (Exception ex) {System.out.println("EXCEPTION CAUGHT DOING SECURITY STUFF " + ex.getMessage());}
I tried to use the MessageContext to do this but it came out null. I tried to cast the MessageContext to WebServiceContext and it gave me a Class Cast Exception. I tried to add the HandlerRegistry section to this but of course the assignment mc.getHandlerRegistry is improper and is not compiling so don't let that confuse you.

How to set WS Username token programmatically in java?

Hi,
Jdev Version: 11.1.1.4.0.
I have created a webservice proxy using Jdev from a wsdl.
I need to invoke a service from the client. But for this I need to set the username token in SOAP header to access the service.
The username token is not exposed or generated in the client.
When I run it from SOAP ui, I manually enetered,
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-7" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>1234</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">1111111111</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">XXXXXXXXXXXXXXXXXXXXXXXXXXX</wsse:Nonce>
<wsu:Created>2012-03-02T23:41:44.511Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
Without the username token I cannot invoke the service from my client code.
How do I add the username token to the generated clients in ADF?
Thanks in advance!!

I tried it by setting the credentials in requestContext and got the error:
Exception in thread "main" javax.xml.ws.WebServiceException: No Content-type in the header!
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:268)
 at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:124)
 at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:121)
 at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)
 at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)
 at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)
 at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)
 at com.sun.xml.ws.client.Stub.process(Stub.java:272)
 at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153)
 at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115)
 at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)
 at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)
 at $Proxy35.ping(Unknown Source)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84)
 at $Proxy36.ping(Unknown Source)
Is there something else I need to do?
Thanks!
Edited by: 953940 on Oct 11, 2012 7:34 AM

Testing a secured Web Service (Basic -Username/Password)

Hello,
I configured security for a custom web service using [this |https://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/e08627de-9816-2a10-02b7-cbd60f7e4b2c&overridelayout=true] . I configured section
3.2 Configuring Document Authentication
Basic (Username/Password)
How should I go about testing this. I tried using Web Service Navigator, I get this error:
00118565098B00220000011400001D8C00047182FEC71535 : Authentication using a wsse:Username token failed. The error was com.sap.security.core.ws.wss.NoSecurityHeaderException No wsse:Security header has been defined for role soap:finalActor. Please verify the policy configuration..

Please download tutorial bundle from:
http://java.sun.com/javaee/5/docs/tutorial/information/download.html
some details about it:
http://docs.sun.com/app/docs/doc/819-3669/gfiud?a=view
You can try examples after downloading zip file :
The zip file also contains a documentation e.g. pdf file.
There you can find more info.
Here is one chapter from doc.
Example: Basic Authentication with JAX-WS
This section discusses how to configure a JAX-WS-based web service for HTTP basic
authentication. When a service that is constrained by HTTP basic authentication is requested,
the server requests a user name and password from the client and verifies that the user name
and password are valid by comparing them against a database of authorized users.
Regards Miro

WS-Security Username Token issue with soap receiver

Hi All,
I have Proxy to SOAP scenario. Receiver web service is expecting below message in the soap header for authentication purpose.
<soapenv:Header>
 <wsse:Security>
<wsse:UsernameToken>
<wsse:Username>username</wsse:Username>
<wsse:Password Type="PasswordText">Password< wsse:Password>
</wsse:UsernameToken>
 </wsse:Security>
 </soapenv:Header>
User will trigger the message from ECC using some transaction. I need to pass this triggering person’s username and password to soap header dynamically. There are more than 2000 users in the system.
How can I retrieve this username and password and bind it to <wsse:Security> node?
Is it possible to achieve?
Please note: User’s details will not come in the message payload. I cannot user look up here.
Regards,
Muni

Asked web service team to use one service account for authentication. Used this blog How to Configure AXIS Framework for Authentication Using the "wsse" Security Standard in SAP PI to configure axis framework. Now we are able to send message to web service.
Regards,
Muni.

OWSM :: Unable to satisfy WSSE Basic Authentication

Hi,
I have dowloaded & installed the Oracle SOA Suite 10.1.3.1.0. I conveniently wrote a simple Java Web Service using Oracle JDeveloper 10.1.3 & protected the Web Service with Oracle Web Services Manager.
I have created a policy in Oracle Web Services Manager to extract the WSSE-Basic UserName and Password from the incoming SOAP Request & validate it with the credentials stored in a file.
The contents of the file are :-

oc4jadmin:{MD5}dUrDMlp/g1vXtP2Z+Fwl/w==
The request that I am sending to OWNSM ( handcrafted in SOAPSonar ) is :-

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" soap:mustUnderstand="1">
 <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
 <wsse:Username>oc4jadmin</wsse:Username>
 <wsse:Password>{MD5}dUrDMlp/g1vXtP2Z+Fwl/w==</wsse:Password>
 </wsse:UsernameToken>
 </wsse:Security>
</soap:Header>
 <soap:Body xmlns:ns1="http://com/oracle/ws/usf/WsUSF.wsdl/types/">
 <ns1:procGetSsnElement>
 <ns1:pMasterid>1</ns1:pMasterid>
 <ns1:pLastname>1</ns1:pLastname>
 <ns1:pFirstname>1</ns1:pFirstname>
 <ns1:pDob>2003-12-12T00:00:00Z</ns1:pDob>
 <ns1:pSystemcode>1</ns1:pSystemcode>
 </ns1:procGetSsnElement>
 </soap:Body>
</soap:Envelope>
However, the response that I keep getting from OWSM is :-

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
 <SOAP-ENV:Fault>
 <faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">p:Client.AuthenticationFault</faultcode>
 <faultstring>Invalid username or password</faultstring>
 <detail>
 </detail>
 </SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
I am not sure how to pass on the credentials using WSSE to OWSM. If I can get that right, I can craft the same request using the PL/SQL & move ahead with the actual business logic.
Can you guys please help me with this ?
Regards,
Sandeep

Hi Sandeep,
I do not have extensive experience with WSS, but the error message let me believe that there is something wrong with the value for the password, as the server replies with 'Inlavid' in the fault string.
When using WSS with oc4j 10.1.3.1, once you ask to use digest value for the password, you are also required to send two extra pieces of informations in the security header: a nonce and a timestamp.
Last, make sure that you don't send the {MD5} in the password element - this is most likely a hint from SOAPSonar.
Here is a sample of a soap payload generated from JDev 10.1.3.1 for a service secured on the oc4j (not exactly OWSM).
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://TrailerInfo/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <env:Header>
 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" env:mustUnderstand="1">
 <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
 <wsse:Username>oc4jadmin</wsse:Username>
 <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">ljF6f2hQ+4xRsD+m2TggreumeUs=</wsse:Password>
 <wsse:Nonce>GeIj1ZlHh9Pxq4KZ+0E9Rw==</wsse:Nonce>
 <wsu:Created ValueType="http://www.w3.org/2001/XMLSchema/dateTime">2007-03-27T15:29:17Z</wsu:Created>
 </wsse:UsernameToken>
 </wsse:Security>
 </env:Header>
 <env:Body>Hope it helps,
-Eric

WS-security Need to Get Username and Password and time Stamp in SOAP Header

HI ALL,
i need to get USERNAME and PWD in my Soap header for consuming Webservice using SAP PI ,
and my SOAP Header should look like this
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurityutility-
1.0.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsswssecurity-
secext-1.0.xsd">
<wsu:Timestamp wsu:Id="Timestamp-296915943">
<wsu:Created>2008-06-05T18:30:59.904Z</wsu:Created>
<wsu:Expires>2009-06-05T18:35:59.904Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="UsernameToken-192809888">
<wsse:Username>midtier-service</wsse:Username>
xxxxxxxx: Confidential Green 10
<wsse:Password Type="http://docs.oasisopen.
org/wss/2004/01/oasis-200401-wss-username-token-profile-
1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
should i need to get some certificates from client and deploy it or should we do anything in SAP PI and send to soap header or can hard code it and send to webservice, please help me in this t
hanking you
Sridhar

i need to get USERNAME and PWD in my Soap header for consuming Webservice using SAP PI ,
Can be achieved by XSL Mapping or SOAP Axis Adapter. Search on SDN for further details as this has been discussed many a times on the forum.
should i need to get some certificates from client and deploy it or should we do anything in SAP PI and send to soap header or can hard code it and send to webservice, please help me in this t
First you need to confirm whether certificates are required or not. Might be the web service is using user id / password security (basic authorization).
How to use certificates in PI - Search on SAP Help, this has been explained in great details over there.

Encrypting wsse:Username?

Similar Messages

Maybe you are looking for