When a client has been successfully authenticated, the API Gateway
can insert a WS-Security Username Token into
the downstream message as proof of the authentication event. The
<wsse:UsernameToken>
token enables a
user's identity to be inserted into the XML message so that it
can be propagated over a chain of Web services.
A typical example would see a user authenticating to the API Gateway using HTTP Digest Authentication. After successfully authenticating the user, the API Gateway inserts a WS-Security Username Token into the message and digitally signs it to prevent anyone from tampering with the token.
The following example shows the format of the
<wsse:UsernameToken>
token:
<wsse:UsernameToken wsu:Id="oracle" xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility"> <wsu:Created>2006.01.13T-10:42:43Z</wsu:Created> <wsse:Username>oracle</wsse:Username> <wsse:Nonce EncodingType="UTF-8"> KFIy9LgzhmDPNiqU/B9ZiWKXfEVNvFyn6KWYP+1zVt8= </wsse:Nonce> <wsse:Password Type="wsse:PasswordDigest"> CxWj1OMnYj7dddMnU/DrOhyY3j4= </wsse:Password> </wsse:UsernameToken>
This topic explains how to configure the API Gateway to insert a WS-Security Username Token after successfully authenticating a user.
To configure general settings, complete the following fields:
Name:
Enter an appropriate name for the filter.
Actor:
The Username Token is inserted into the WS-Security block identified by the specified SOAP Actor.
To configure the credential details, complete the following fields:
Username:
Enter the name of the user included in the Username Token.
By default, the authentication.subject.id
message
attribute is stored, which contains the name of an authenticated user.
Include Nonce:
Select this option if you wish to include a nonce in the Username Token. A nonce a random number that is typically used to help prevent replay attacks.
Include Password:
Select this option if you wish to include a password in the Username Token.
Password:
If the Include Password checkbox is selected, the API Gateway inserts the user's password into the generated WS-Security Username Token. It can insert Clear or SHA1 Digest version of the password, depending on which radio button you select. Oracle recommends the digest form of the password to avoid potential eavesdropping.
You can either explicitly enter the password for this user in the
Password field, or use a message attribute by selecting
the Wildcard option, and entering the message attribute in
the field provided. By default, the authentication.subject.password
attribute is used, which contains the password used by the user to authenticate to the
API Gateway.