UsernameToken with password text, nonce, and created timestamp over SSL
This policy requires that you protect the message with HTTPS, and that a UsernameToken is used for authentication. The user password within the UsernameToken is sent as clear text, and a timestamp and nonce are included. There is also a message Timestamp. You can modify this policy to remove the requirement of nonce and timestamp. For testing purposes, you can also remove the TransportBinding to send the UsernameToken over HTTP for simplicity.
The following policy shows a UsernameToken with password text, nonce, and created timestamp over
SSL:
<wsp:Policy wsu:Id="UserNameTokenPasswordTextOverSSL">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy>
</wsp:Policy>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10 />
<sp13:Created />
<sp13:Nonce />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
The
namespaces used in this example are:- xmlns:wsp="http://www.w3.org/ns/ws-policy"
- xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
- xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
This policy is analogous to the Username WSHTTPS default policy set in WebSphere Application Server traditional.