TIBCO BusinessWorks: Understanding Web Services Security 22
6.1.1 Request Contents UserName Token In this particular test, the configuration is to use the UserName Token in Text Mode for Authentication. <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header> <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- wssecurity-secext-1.0.xsd"> <wsse:Username xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- wssecurity-secext-1.0.xsd">admin</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username- token-profile-1.0#PasswordText" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401- wss-wssecurity-secext-1.0.xsd">admin</wsse:Password> <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- wssecurity-utility-1.0.xsd">2006-08-07T17:09:13.005Z</wsu:Created> <wsse:Nonce xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- wssecurity-secext-1.0.xsd">Y7/sTGnv1b3+LLvd4EVPIA==</wsse:Nonce> </wsse:UsernameToken> </wsse:Security> </SOAP-ENV:Header> <SOAP-ENV:Body> <ns0:Inquiry xmlns:ns0="http://xmlns.example.com/unique/default/namespace/1154630967053">What Time is it?</ns0:Inquiry> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
Notice the wsse and wsu namespaces (UsernameToken, Username, Password, Created, and Nonce), and the literal Username and Password (in clear text) with a timestamp all of these are in bold. The timestamp (wsu:Created) is used with the timeout parameter to limit the useful time period for the nonce ( wsse:Nonce); together, the Nonce and an explicit timestamp permit ID/Passwords to be used in the clear while not being reusable or subject to replay. The other form of password is Digest, which is more secure; for the best security using UserName Tokens, you should use TLS/SSL to encrypt the communications channel. Document TIBCO BusinessWorks: Understanding Web Services Security 23 In order to capture this information, I used TCPMon to listen in on Port 7176 and relay everything to Port 7177. To do this, modify the SOAP Clients Transport Details Tab info as shown below:
6.1.2 Troubleshooting Bad ID or Password Now, lets introduce an error into this situation intentionally change the password on the UserNameToken Identity, so that it will fail authentication with the Administrator, and re-run the test and you will get a SOAPPLUGIN- 100023 Error, indicating that a SOAP Fault was sent by the Service: