PasswordDigest in the UsernameToken

Hi,
I found two problems with the password digest in UsernameToken in JWSDP1.4.
1.The string "null" is included in the digest.
Following OASIS Standard, the password digest is:
Base64(SHA-1 (nonce + created + password))
But, from the soap message by JWSDP1.4, the password digest is:
Base64(SHA-1 (nonce + "null" + created + password))
2.The size of nonce.
Reading the createDigest method of com.sun.xml.wss.UsernameToken, This method seems to assume that the size of nonce is always 18 bytes.
Using only JWSDP1.4(client and web services), there is no problem.
But, If the nonce is like "tTysr6xZZiwxa9PKZSL8KA=="(the size of decoded is 16 bytes), it works correctly ?
I created the WSE2 client to interop with JWSDP1.4 sample service(securesimple).
Sending the password in plain text in the UsernameToken, the authentication is successful.
But sending the password digest in the UsernameToken, I receive the soap fault "Authentication of Username Password Token Failed". 　
I confirmed that the password digest generated by WSE2 is Base64(SHA-1 (nonce + created + password)).
I want to know if it's a JWSDP's bug or not.
Thanks.

Similar Messages

What is the UsernameToken based security for webservices

Hi,
I am accessing webservice in BPEL process as a partnerlink and providig WSseusername , wssePassword and wsseHeaders values in partnerlink properties.But when I am executing BPEL process it is givving error like
'AuthorizatioFailure : User not authorised to execute ' .
I hope there are UsernameToken based security on this webservies.CAn anybody help me on this issue
Thanks ,
Durga..

Hi Durga,
go to composite
Right click on the external reference service and select “Configure WS policies”
Under the security tab, click add button and select “oracle/ wss_username_token_client_policy
Now Open the property Inspector window and click the add button under “Binding properties” tab.
Include the “oracle.webservices.auth.username---- give the userid
Include the “oracle.webservices.auth.password----- give the password
Hope this will help you.
Regards
PavanKumar.M

OSB 10gR3 - Process WS-Security flag not working with PasswordDigest

Hi,
By Oracle documentation when you set the "process ws-security header" in security section of a proxy service, the proxy service act as an active intermediary and consume the ws-security header received in inbound messages. This feature works fine when you call the proxy service using WS-Security Username Token Profile PasswordText, but when you send Username Token with PasswordDigest I got the following error: +"weblogic.xml.crypto.wss.WSSecurityException: Unable to validate identity assertions"+
I am using SoapUi to call the proxy with passwordDigest, WSS-Password Type option set to PasswordDigest.
Proxy configured with:
General tab -> WSDL based proxy service, this wsdl doesn't have ws-policy definitions inside.
Transport tab -> Get all headers = Yes
HTTP Transport tab -> HTTPS Required = No / Authentication = Basic
Operation tab -> Enforce WS-I Compliance = not checked / Selection Algorithm = SOAP Body Type
Message Content tab -> default settings
Policy -> Added Auth.xml(predefined) policy to request policies.
Security tab -> Process WS-Security header = Yes / Custom Authentication settings = none
Error --->
+<01/12/2009 09h34min55s BRST> <Error> <OSB Security> <BEA-387022> <An error ocurred during web service security inbound request processing [error-code: Fault, message-id: 6198860737666014185--de42214.12549f82d66.-7fdb, proxy: AlphaTests/MyProxy/Proxy/MyLogProxy, operation: null]+
--- Error message:
+<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><faultcode>wsse:InvalidSecurity</faultcode>*<faultstring>Unable to validate identity assertions.</faultstring>*</env:Fault></env:Body></env:Envelope>+
weblogic.xml.crypto.wss.WSSecurityException: Unable to validate identity assertions.
+     at weblogic.wsee.security.wss.SecurityPolicyValidator.processIdentity(SecurityPolicyValidator.java:133)+
+     at weblogic.wsee.security.wss.SecurityPolicyValidator.processInbound(SecurityPolicyValidator.java:77)+
+     at weblogic.wsee.security.WssServerPolicyHandler.processInbound(WssServerPolicyHandler.java:54)+
+     at weblogic.wsee.security.WssServerPolicyHandler.processRequest(WssServerPolicyHandler.java:30)+
+     at weblogic.wsee.security.WssHandler.handleRequest(WssHandler.java:74)+
+     at com.bea.wli.sb.security.wss.WssInboundHandler.processRequest(WssInboundHandler.java:155)+
+     at com.bea.wli.sb.security.wss.WssHandlerImpl.doInboundRequest(WssHandlerImpl.java:201)+
+     at com.bea.wli.sb.context.BindingLayerImpl.addRequest(BindingLayerImpl.java:257)+
+     at com.bea.wli.sb.pipeline.MessageProcessor.processRequest(MessageProcessor.java:66)+
+     at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:508)+
+     at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:506)+
+     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)+
+     at weblogic.security.service.SecurityManager.runAs(Unknown Source)+
+     at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityContextService.java:55)+
+     at com.bea.wli.sb.pipeline.RouterManager.processMessage(RouterManager.java:505)+
+     at com.bea.wli.sb.transports.TransportManagerImpl.receiveMessage(TransportManagerImpl.java:371)+
+     at com.bea.wli.sb.transports.http.HttpTransportServlet$RequestHelper$1.run(HttpTransportServlet.java:279)+
+     at com.bea.wli.sb.transports.http.HttpTransportServlet$RequestHelper$1.run(HttpTransportServlet.java:277)+
+     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)+
+     at weblogic.security.service.SecurityManager.runAs(Unknown Source)+
+     at com.bea.wli.sb.transports.http.HttpTransportServlet$RequestHelper.securedInvoke(HttpTransportServlet.java:276)+
+     at com.bea.wli.sb.transports.http.HttpTransportServlet$RequestHelper.service(HttpTransportServlet.java:237)+
+     at com.bea.wli.sb.transports.http.HttpTransportServlet.service(HttpTransportServlet.java:133)+
+     at weblogic.servlet.FutureResponseServlet.service(FutureResponseServlet.java:24)+
+     at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)+
+     at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)+
+     at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)+
+     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)+
+     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)+
+     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3498)+
+     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)+
+     at weblogic.security.service.SecurityManager.runAs(Unknown Source)+
+     at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)+
+     at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)+
+     at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)+
+     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)+
+     at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)+

Eduardo,
Yes, but the flag "Process WS-Security header" needs to be set to 'No' and I included a delete node to remove the wsse:Security element from header. Attaching Auth.xml predefined policy to my request operation, causes OSB to include the policy directive in my WSDL, but the PasswordText(see below).
In Oracle security guide we have steps to configure PasswordDigest in the Oracle Service Bus Security Configuration using the WLS Console http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/model.html#wp1062542
My doubt is: Is this a bug? "Process WS-Security header" flag is supposed to work with PasswordDigest?
My WSDL with WS-Policy statements after Auth.xml policy was configured.
<?xml version="1.0" encoding="UTF-8"?>
<s2:definitions targetNamespace="http://alpha.tests.org" xmlns:s0="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:s1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:s2="http://schemas.xmlsoap.org/wsdl/" xmlns:s3="http://alpha.tests.org" xmlns:s4="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<s0:Policy s1:Id="encrypt-custom-body-element-and-username-token">
<wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/policy">
<wssp:SupportedTokens>
<wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
<wssp:UsePassword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"/>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
</s0:Policy>
<wsp:UsingPolicy s2:Required="true"/>
<s2:types>
<xsd:schema elementFormDefault="qualified" targetNamespace="http://alpha.tests.org" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:impl="http://alpha.tests.org" xmlns:s0="http://schemas.xmlsoap.org/wsdl/" xmlns:s1="http://alpha.tests.org" xmlns:s2="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<xsd:element name="EchoRequest">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="send" type="xsd:string"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="EchoResponse">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="response" type="xsd:string"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>
</s2:types>
<s2:message name="echoRequest">
<s2:part element="s3:EchoRequest" name="echoPartReq"/>
</s2:message>
<s2:message name="echoResponse">
<s2:part element="s3:EchoResponse" name="echoPartResp"/>
</s2:message>
<s2:portType name="MyAlphaPort">
<s2:operation name="echo">
<s2:input message="s3:echoRequest" name="echoRequest"/>
<s2:output message="s3:echoResponse" name="echoResponse"/>
</s2:operation>
</s2:portType>
<s2:binding name="MyAlphaBinding" type="s3:MyAlphaPort">
<s4:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<s2:operation name="echo">
<s2:input name="echoRequest">
<s4:body use="literal"/>
<wsp:Policy>
<wsp:PolicyReference URI="#encrypt-custom-body-element-and-username-token"/>
</wsp:Policy>
</s2:input>
<s2:output name="echoResponse">
<s4:body use="literal"/>
</s2:output>
</s2:operation>
</s2:binding>
<s2:service name="MyAlphaBindingQSService">
<s2:port binding="s3:MyAlphaBinding" name="MyAlphaBindingQSPort">
<s4:address location="http://CLXSP0272:7001/MyAlphaService"/>
</s2:port>
</s2:service>
</s2:definitions>

Consuming a Web Service with PasswordDigest Authentication in ABAP

Hello,
I need to consume a web service in ABAP from a non-SAP application. The web service uses wsse:UsernameToken with PasswordDigest in the SOAP Header for authentication. However, I havent seen any documentation for using Password Digest in ABAP.
Is it possible to use Password Digest in ABAP?
Thanks
Ajay

Hi Marc,
Here is the ABAP Code to build the SOAP header.
FUNCTION Z_GET_SOAP_REQUEST_HEADER.
*"*"Local Interface:
*" EXPORTING
*"     VALUE(ER_SECURITY_ELEMENT) TYPE REF TO IF_IXML_ELEMENT
*date and time data
data: lv_sys_date like sy-datum,
        lv_sys_time like sy-uzeit,
        lv_year(4) type c,
        lv_month(2) type c,
        lv_date(2) type c,
        lv_hour(2) type c,
        lv_min(2) type c,
        lv_sec(2) type c.
data : lv_created type string,
        lv_snonce type string,
        lv_b64nonce type string,
        lv_webservice_password type string,
        lv_webservice_userid type string,
        lv_spassword type string,
        lv_xpassword type xstring,
        lv_hpassword type hash160x,
        lv_b64password(255) type c,
        lv_xpasslen type i,
        lv_hpasslen type i.
*xml declartions
data : lv_sheader type string,
        lv_xheader type xstring,
        xml_document TYPE REF TO if_ixml_document,
        xml_root TYPE REF TO if_ixml_element,
        xml_element TYPE REF TO if_ixml_element,
        xml_node TYPE REF TO if_ixml_node.
*get the c-link password.
CALL METHOD ZCL_CDB_SYNC_CFG_READER=>GET_USERID_PASSWORD
IMPORTING
    EV_USER_ID = lv_webservice_userid
    EV_PASSWORD = lv_webservice_password
*Evaluate created date time
lv_sys_date = sy-datum.
lv_sys_time = sy-uzeit.
lv_year = lv_sys_date(4).
lv_month = lv_sys_date+4(2).
lv_date = lv_sys_date+6(2).
lv_hour = lv_sys_time(2).
lv_min = lv_sys_time+2(2).
lv_sec = lv_sys_time+4(2).
CONCATENATE lv_year '-' lv_month '-' lv_date 'T' lv_hour ':' lv_min ':' lv_sec '.000Z' into lv_created.
*Create and encode the nonce
CALL FUNCTION 'GENERAL_GET_RANDOM_STRING'
    EXPORTING
      NUMBER_CHARS = 24
    IMPORTING
      RANDOM_STRING = lv_snonce.
CALL METHOD cl_http_utility=>ENCODE_BASE64
    EXPORTING
      UNENCODED = lv_snonce
    RECEIVING
      ENCODED   = lv_b64nonce.
*create the password to be sent to web service
CONCATENATE lv_snonce lv_created lv_webservice_password into lv_spassword.
*encode password to xstring
CALL FUNCTION 'SCMS_STRING_TO_XSTRING'
    EXPORTING
      TEXT   = lv_spassword
    IMPORTING
      BUFFER = lv_xpassword.
lv_xpasslen = xstrlen( lv_xpassword ).
CALL FUNCTION 'CALCULATE_HASH_FOR_RAW'
    EXPORTING
      ALG      = 'SHA1'
      DATA     = lv_xpassword
      LENGTH   = lv_xpasslen
    IMPORTING
      HASHX    = lv_hpassword
      HASHXLEN = lv_hpasslen.
CALL FUNCTION 'SCMS_BASE64_ENCODE'
    EXPORTING
      INPUT            = lv_hpassword
      INPUT_LENGTH     = lv_hpasslen
    IMPORTING
      OUTPUT           = lv_b64password
    EXCEPTIONS
      OUTPUT_TOO_SMALL = 1
      OTHERS           = 2.
IF SY-SUBRC <> 0.
* MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
*         WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
ENDIF.
* build the header
CONCATENATE
'<soap-env:Header xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">'
'<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">'
'<wsse:UsernameToken wsu:Id="########" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">'
'<wsse:Username>'
lv_webservice_userid
'</wsse:Username>'
'<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">'
lv_b64password
'</wsse:Password>'
'<wsse:Nonce>'
lv_b64nonce
'</wsse:Nonce>'
'<wsu:Created>'
lv_created
'</wsu:Created>'
'</wsse:UsernameToken>'
'</wsse:Security>'
'</soap-env:Header>'
INTO lv_sheader.
*Build the xml header element
lv_xheader = cl_proxy_service=>cstring2xstring( lv_sheader ).
TRY.
      CALL FUNCTION 'SDIXML_XML_TO_DOM'
        EXPORTING
          xml           = lv_xheader
        IMPORTING
          document      = xml_document
        EXCEPTIONS
          invalid_input = 1
          OTHERS        = 2.
      IF sy-subrc = 0 AND NOT xml_document IS INITIAL.
        xml_root = xml_document->get_root_element( ).
        er_security_element ?= xml_root->get_first_child( ).
        gr_soap_security_header = er_security_element.
      ENDIF.
    CATCH cx_ai_system_fault .
ENDTRY.
ENDFUNCTION.

Webservice security: manipulating the SOAP Header

Hi all,
I need to call a web service for which the following XWSS security policy is specified:
<xwss:SecurityConfiguration dumpMessages="false" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
<xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true"/>
</xwss:SecurityConfiguration>
Looking at the BPEL Admin guide, I tried to add the following to the bpel.xml file:
<property name="wsseOASIS2004Compliant">true</property>
<property name="wsseHeaders">credentials</property>
<property name="wsseUsername">username</property>
<property name="wssePassword">digestedPassword</property>
I tried to encrypt the password using either Base64 or sha1. In any case, the following error is returned:
com.sun.xml.wss.XWSSecurityException: Receiver Requirement for Digested Password has not been met
Apparently, the following header format has to be constructed:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
SOAP-ENV:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="XWSSGID-11553010711772067303919">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">digestedPassword</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">aNonce</wsse:Nonce>
<wsu:Created>2006-08-11T12:57:54Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
theBody
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
How can I achieve that using BPEL Designer (using 10.1.2.1.0)?
E.g. are there ways to directly influence the SOAP Header?
Thanks.
Best regards, Sjoerd

More info:
By specifying the header properties in the bpel.xml BPEL generates the following header data in the SOAP message (obtained using obtunnel):
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next"
soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">clearTextPassword</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
theBody
</soapenv:Body>
</soapenv:Envelope>
As you can see it uses the #PasswordText which indicates the use of a cleartext password.
Thus the question remains: how to get the Nonce, the CreationTime and the PasswordDigest in the SOAP Header of the message (BPEL 10.1.2.1.0)?
Thanks, Sjoerd

JavaCAPS 5.1.3 and WS-Security question (PasswordDigest)

Hello,
I've been successful in exposing secure WS from JCAPS 5.1.3, using the UserNameToken and both PasswordText and PasswordDigest, but the latter works only if the client is also made in JCAPS. At present I can make a call to JCAPS WS with both SopaUI and a .NET client, but only when the password is in clear, which is not secure at all... When I configure the WS for password encryption it works only from another eInsight BP. I was struggling with documentation to find any hint but there is almost nothing. Of course with JCAPS 6 we could leverage a much better WS stack, but I can't force the customer to update just because of this single issue.
Thanks

Post Author: amr_foci
CA Forum: Integrated Solutions
go to this link and find the documentaion about ur specific version
http://support.businessobjects.com/documentation/supported_platforms/default.asp
u will find supported platforms and connectivites
good luck

Enadling Security for the cxf webservice

I have created a CXF webservice and exposed it through a Secured (HTTPS) webdomain. From my client directly i access the webservice without even using the SSL certificate of that webdomain.
In my client code i am explicitly setting to trust all the certificates due to which, it not even checks the authenticity of the client. This should not ideally happen for me.
On doing some analysis, I see it is possible to do it using the tag <httpj:engine-factory bus="cxf"> (http://fusesource.com/docs/framework/2.1/security/HTTPCompatible.html#i488847). even after adding those entries to my wsdl, i am unable to secure my webservice through my webdomain cert.
Could some one please advice ?

More info:
By specifying the header properties in the bpel.xml BPEL generates the following header data in the SOAP message (obtained using obtunnel):
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next"
soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">clearTextPassword</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
theBody
</soapenv:Body>
</soapenv:Envelope>
As you can see it uses the #PasswordText which indicates the use of a cleartext password.
Thus the question remains: how to get the Nonce, the CreationTime and the PasswordDigest in the SOAP Header of the message (BPEL 10.1.2.1.0)?
Thanks, Sjoerd

Any one knows how to use Axis Framework in the SOAP Adapter Modules

How to use Axis Framework in the SOAP Adapter?
How to add custom handler modules?
http://help.sap.com/saphelp_nw04/helpdata/en/45/a4f8bbdfdc0d36e10000000a114a6b/frameset.htm
I went through the above link on help.sap.com. But still could not create a working example.
I have created a wc on some 3ed party app server using apaches axis. I am trying to call that web service from XI using SOAP receiver? I need to add some security related headers to the soap message, SO I am trying to use a handler. I want to know how to configure this handler in SOAP axis adapter module.
Thank you
Moni

Ravi ,
I am trying exactly the same. Hers is the scenario.
ABAP Proxy --> PI (7.0) SP 12 ---> WebService.
Since This is service is secured, means it is using OASIS web servie securyty user name token,
I am trying to use AXIS adapter. and I want to configure HandlerBean in which I want to use apache wss4j api to add the userNameToken. I am looking for some documentation on this.
I need to add SOAP action element too as I can not configure this one on the communication channel.
Thanks for any inputs in this regard.
Moni

Why is the security header empty in the response when mustUnderstand="1"?

Hi
In the response the value of mustUnderstand is equal to "1", but the UsernameToken data is not echoed, the security header is empty.
It seems that either the credentials should be echoed or mustUnderstand should be equal to "0"
An Axis 1.4 client threw an Exception because they interpreted the spec as such, and we've dealt with that but now
I have an external party using some Microsoft stuff and they're having to intercept the response and set it to 0
before processing the response.
How should it be dealt with?
I'm happy to write a handler that does this, and I tested some Oracle sample code but the header is always null.
Source Code: AuthenticateHandler.java
This is my test request...
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:env="http://www.w3.org/2003/05/soap-envelope" soap:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Username>TestUser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security></soap:Header>
    <soap:Body xmlns:ns1="http://webservicehandler/">
        <ns1:echoElement>DSF</ns1:echoElement>
    </soap:Body>
</soap:Envelope>and my test response
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:env="http://www.w3.org/2003/05/soap-envelope" env:mustUnderstand="1"/>
</env:Header><env:Body><ans1:echoResponseElement xmlns:ans1="http://webservicehandler/">DSF</ans1:echoResponseElement>
</env:Body></env:Envelope>

You aren't addressing Apple here; we are all users like you.
Please submit to apple.com/feedback

Usernametoken Encryption

We have been provided
by below policy file from our client. How we can generate configuration file for WCF or WSE 3.0?
We need to consume new web services and we are told that this policy should be able to generate message security configuration so that we can plug in x509 certificates into that.
Security requirements includes:
1. Encrypted Usernametoken using x509 asymmetric bindings and TripleDESRSA15 key.
2. Digitally signed Soap Body and timestamp.
svcutil is not generating proper configuration file when we passed this policy. It has created simple bindings node with endpoint details. It did not generated anything for security.
Appreciate your
help in advance.
<wsp:Policy wsu:Id="policy0"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:InitiatorToken>
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:WssX509V3Token10 />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:X509Token>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:X509Token>
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:WssX509V3Token10 />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:X509Token>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:TripleDesRsa15 />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:Strict />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody
/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:MustSupportRefEmbeddedToken
/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:SignedParts>
<sp:EncryptedSupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"
/>
<sp:HashPassword />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:EncryptedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

Hi,
About encrypting the UsernameToken, you could refer to the following ways:
// Sign the Message using a UsernameToken
// Create the UsernameToken we use to sign the message
UsernameToken userToken = new UsernameToken("phil", "notverysecret",
PasswordOption.SendNone);
// Sign the message with the UsernameToken
MessageSignature sig = new MessageSignature(userToken);
requestContext.Security.Elements.Add(sig);
// Encrypt elements in the SOAP header using an X509 cert.
// First of all create an encrypting token
X509SecurityToken encryptingToken = GetServerToken();
// Encrypt the UsernameToken element in the SOAP header
requestContext.Security.Elements.Add(
new EncryptedData( encryptingToken, "#" + userToken.Id ) );
// The Signature element doesn't have an Id - we need to create one
Guid id = Guid.NewGuid();
// Assign the Id we created to the Signature
sig.Signature.Id = id.ToString();
requestContext.Security.Elements.Add(
new EncryptedData( encryptingToken, "#" + sig.Signature.Id) );
For more information, you could refer to:
https://redkestrel.co.uk/articles/encrypting-soap-with-wse/
Regards

XWS - Programmatic UsernameToken

Hi, all. I'm developing a multiuser web service client.
To implement authentication/authorization, I've been taking a look at the new WS-Security support in JWSDP 1.4. It looks good, but I'm unable to find a way to specify username/password combinations for the UsernameToken element at runtime.
I've only seen them provided at build-time to the wscompile ant target. This doesn't appear suitable for my application, which users would log into at runtime.
Is anyone able to confirm or refute this? Any alternative recommendations are also welcomed.
Thanks.
Justin

Hey All,
I seem to be having problems getting UserTokens in my SOAP headers. I am attempting to connect to .Net based web services. Everything works fine - I can connect to and invoke the web services. However, when I try to enforce UserToken security the wheels fall off. I cannot seem to get the UserToken embedded in the SOAP header from the client. As such, I get a security exception regarding the missing security token. If I trace the soap messages I can see that there is NO token in the header (so its not a matter of the token being bad or wrong). The relevant client-side code snippet I am using is shown below. Any help would be greatly appreciated!!
Thanks,
Mark.
Admin admin = (Admin)(new Admin_Impl());
AdminSoap adminSoap = admin.getAdminSoap();
QName portName = new QName("http://something.com/webservices", "AdminSoap");
SecurityConfigurator secCfg = new SecurityConfigurator( admin, portName );
secCfg.addFilterForOutgoingMessages( new ExportUsernameTokenFilter("myuserid", "mypassword", true, false));
secCfg.addDumpRequest().addDumpResponse();
String myName = adminSoap.whoAmI();

Cannot acces usernametoken in web service handler

I am using wsse usernametoken security standard. I cannot access the usernametoken infomarion in the web services handler. The whole header is blank. Anyone have this situation ?

I am using wsse usernametoken security standard. I cannot access the usernametoken infomarion in the web services handler. The whole header is blank. Anyone have this situation ?

Trying to deploy a Metro JAX-WS Endpoint with UsernameToken wsit in Weblogic 12c

Hi,
we just try to deploy a Metro based Jax-WS Endpoint to Weblogic 12c.
The Webservice itself is successfully deployed on Tomcat with Metro 2.3 and Weld.
For security the wsit file is used in combination with the UsernameToken policy.
For Validation an implementation of PasswordValidator (com.sun.xml.wss.impl.callback.PasswordValidationCallback.PasswordValidator) is used,
Unfortunately this class is not present in the weblogic jax-ws implementation, despite the fact that the implementation is based upon metro.
Is there a possibility to use the standard metro implementation for jax-ws in Weblogic 12c (12.1.2.0).
We found an user guide here: https://metro.java.net/guide/ch02.html#weblogic-10 but it doesn't work for us.
Maybe there is an problem with 12.1.2.0, because the user guide is for 12.1.1.0.
Has anyone tried something similar?
Thanks

because using sun-jaxws.xml is a non-standard deployment descriptor. You need to use just the web.xml and instead of pointing at the JAX-WS RI servlet, point it at your endpoint implementation class. The AS 9 tutorial should show an example of this.

UsernameToken soap signature

Hi,
I'm new in Web service.
I have to write a java client to acces a .net Web service.
I have to had TimeStamp, and UsernameToken to the Soap message, and i have to sign the soap request with the usernametoken.
I think i don't need to use a certificate.
Do you have some idea, or some example onmy problem.
Thanks

check out the oasis ws-security interop testing example:
http://webservice.bea.com:7001/

Issue on Deployment of AXIS framework in PI 7.0 Server.

Hi Experts,
We have a requirement of Using AXIS Framework in Receiver SOAP adapter in PI 7.0.Moreover we need USERNAME token with PasswordDigest.We have deployed aii_af_axisprovider.sda file in PI server with all relevant .jar files.However when we are checking the url http://host:port/XIAxisAdapter/MessageServlet its showing following optional components are missing.
1)XML Security API
2)Apache WSS4J
3)Apache Addressing
However we have used wsdl4j-1.5.1.jar file.We have added entry for wsdl4j-1.5.1.jar in provider.xml as well.However it still showing warning that optional component is missing
Could you please let us know which version we need to deploy for Apache WSS4J in PI server or do we need to do any other configuartion apart from above configuration so that to enable the UserNameToken security with passwordDigest.
Thanks in advance.
Regards
Nilesh.

Hi,
Post the answer for your issue, so that others can have!

PasswordDigest in the UsernameToken

Similar Messages

Maybe you are looking for