Integration Platform Technologies: Siebel Enterprise Application Integration > Web Services > About Web Services Security Support >

About WS-Security UserName Token Profile Support

Siebel Business Applications support the WS-Security UserName Token mechanism, which allows for the sending and receiving of user credentials in a standards-compliant manner. The UserName token is a mechanism for providing credentials to a Web service where the credentials consist of the UserName and Password. The password must be passed in clear text. The UserName token mechanism provides a Web service with the ability to operate without having the username and password in its URL or having to pass a session cookie with the HTTP request.

The following is a sample of the UserName token showing the username and password:

<wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext">

http://schemas.xmlsoap.org/ws/2002/07/secext

<wsse:UsernameToken xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">

<wsse:Username>WKANDINSKY</wsse:Username>

<wsse:Password Type="wsse:PasswordText">AbstractArt123</wsse:Password>

</wsse:UsernameToken>

</wsse:Security>

NOTE:  If using Web single sign-on (SSO), use the Siebel trust token value in wsse:Password instead of the password.

About Support for the UserName Token Mechanism

Support for the UserName Token mechanism includes the following:

• Allows an inbound SOAP request to contain user credentials that can be provided to the inbound SOAP dispatcher to perform the necessary authentication
• Allows an inbound SOAP dispatcher to perform the necessary authentication on an inbound SOAP request that contains user credentials
• Allows an outbound SOAP request to contain user credentials that can be utilized by the external application

The following is an example of passing the user name and password by way of a URL:

http://webserver/eai_enu/start.swe?SWEExtSource=WebService&SWEExtCmd=Execute&
Username=SADMIN&Password=SADMIN

With UserName tokens, the URL does not reveal the user credentials:

http://webserver/eai_anon_enu/start.swe?SWEExtSource=SecureWebService&SWEExtCmd=Execute

NOTE:  Using WS-Security is optional. If security is of the utmost importance, and if it is critical that the password not be provided in clear text, use HTTPS.

Using the UserName Token for Inbound Web Services

The Inbound Web Services view provides an interface for associating operations with authentication types. The names of the operations must be globally unique. The applet shown in Figure 28 can be defined as requiring no authentication, or requiring a UserName Token with username and password provided in clear text.

Figure 28. Inbound Web Services View and the UserName Token

NOTE:  No authentication type implies that the user credentials are in the URL.

Using the UserName Token for Outbound Web Services

Each Web service operation in the Outbound Web Services list applet may be tied to an authentication type by selecting from the Authentication Type picklist (see Figure 29) in the Operations picklist, in the following applet.