You are on page 1of 2

Document

TIBCO BusinessWorks: Understanding Web Services Security 22


6.1.1 Request Contents UserName Token
In this particular test, the configuration is to use the UserName Token in Text Mode for Authentication.
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
wssecurity-secext-1.0.xsd">
<wsse:Username xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
wssecurity-secext-1.0.xsd">admin</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-
token-profile-1.0#PasswordText" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-wssecurity-secext-1.0.xsd">admin</wsse:Password>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
wssecurity-utility-1.0.xsd">2006-08-07T17:09:13.005Z</wsu:Created>
<wsse:Nonce xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
wssecurity-secext-1.0.xsd">Y7/sTGnv1b3+LLvd4EVPIA==</wsse:Nonce>
</wsse:UsernameToken>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns0:Inquiry xmlns:ns0="http://xmlns.example.com/unique/default/namespace/1154630967053">What
Time is it?</ns0:Inquiry>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Notice the wsse and wsu namespaces (UsernameToken, Username, Password, Created, and Nonce), and
the literal Username and Password (in clear text) with a timestamp all of these are in bold. The timestamp
(wsu:Created) is used with the timeout parameter to limit the useful time period for the nonce ( wsse:Nonce);
together, the Nonce and an explicit timestamp permit ID/Passwords to be used in the clear while not being reusable or
subject to replay. The other form of password is Digest, which is more secure; for the best security using UserName
Tokens, you should use TLS/SSL to encrypt the communications channel.
Document
TIBCO BusinessWorks: Understanding Web Services Security 23
In order to capture this information, I used TCPMon to listen in on Port 7176 and relay everything to Port 7177. To do
this, modify the SOAP Clients Transport Details Tab info as shown below:



6.1.2 Troubleshooting Bad ID or Password
Now, lets introduce an error into this situation intentionally change the password on the UserNameToken
Identity, so that it will fail authentication with the Administrator, and re-run the test and you will get a SOAPPLUGIN-
100023 Error, indicating that a SOAP Fault was sent by the Service: