1 Reply Latest reply on Nov 16, 2007 10:23 AM by asoldano

Username token with password digest?

hugo_th02 Nov 5, 2007 11:59 PM

Hi all,
I want to implement username token security to my web service. The problem is that password always appears as plain text in the soap header message:

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" env:mustUnderstand="1">
<wsse:UsernameToken wsu:Id="token-7-1194379092000-19904003">
<wsse:Username>kermit</wsse:Username>
<wsse:Password>thefrog</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</env:Header>
<env:Body>
<ns1:wsMethod xmlns="http://ws.secure.res/" xmlns:ns1="http://ws.secure.res/"/>
</env:Body>
</env:Envelope>

I try to use digest password, but don't know how to config. So anyone successfully use that, please help me...
Thanks.

1. Re: Username token with password digest?

asoldano Nov 16, 2007 10:23 AM (in response to hugo_th02)

Our current username token profile implementation supports plain text passwords only.
See http://jira.jboss.org/jira/browse/JBWS-1296.
Btw keep in mind that simply having digest instead of plaintext password go over the wire does not increase security; consider using a transport level security (ssl) too.
Actions