You can use the <UsernameToken> element to propagate a user name and, optionally, password information. Also, you can use this token type to carry basic authentication information. Both a user name and a password are used to authenticate the SOAP message.
A UsernameToken element containing the user name is used in identity assertion. Identity assertion establishes the identity of the user based on the trust relationship.
The following example shows the syntax of the <UsernameToken> element:
<wsse:UsernameToken wsu:Id="Example-1"> <wsse:Username> ... </wsse:Username> <wsse:Password Type="..."> ... </wsse:Password> <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> <wsu:Created> ... </wsu:Created> </wsse:UsernameToken>
The Web services security specification defines the following password types:
WebSphere Application Server supports the default PasswordText type. However, it does not support password digest because most user registry security policies do not expose the password to the application software.
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org /wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <S:Header> ... <wsse:Security> <wsse:UsernameToken> <wsse:Username>Joe</wsse:Username> <wsse:Password>ILoveJava</wsse:Password> </wsse:UsernameToken> </wsse:Security> </S:Header> </S:Envelope>
In IBM WebSphere Application Server Version 6.1 Feature Pack for Web Services, WebSphere Application Server supports both Username Token Profile 1.0 and Version 1.1 standards.
WebSphere Application Server does not support the following functions:
You can use policy sets to configure the UsernameToken using the administrative console. An assertion, similar to the following example, is created and included in the binding after configuration is complete:
<sp:UsernameToken sp:IncludeToken="mx:anyURI"? …> <wsp:Policy> <sp:WssUsernameToken11 …/> </wsp:Policy> </sp:UsernameToken>
Also, you can use the Web Services Security APIs to attach the Username token to the SOAP message. The following figure describes the creation and validation of the Username token:
On the generator side, the Username token is created by using the JAAS LoginModule and by using the JAAS CallbackHandler to pass the authentication data. The JAAS LoginModule creates the UsernameToken object and passes it to the Web Service Security runtime.
On the consumer side, the Username Token XML format is passed to the JAAS LoginModule for validation or authentication, and the JAAS CallbackHandler is used to pass the authentication data from the Web Service Security runtime to the JAAS LoginModule. After the token is authenticated, a UsernameToken object is created and is passed to the Web service security runtime.
The following example provides sample code for creating Username tokens:
WSSFactory factory = WSSFactory.getInstance(); WSSGenerationContext gencont = factory.newWSSGenerationContext(); // Attach the username token to the message. UNTGenerationCallbackHandler ugCallbackHandler = newUNTGenerationCallbackHandler("alice", "ecila"); SecurityToken ut = factory.newSecurityToken(ugCallbackHandler, UsernameToken.class); gencont.add(ut); // Generate the WS-Security header gencont.process(msgctx);