Contents
When a client has been successfully authenticated, the API Gateway Explorer
can insert a WS-Security UsernameToken into
the downstream message as proof of the authentication event. The
<wsse:UsernameToken>
token enables a
user's identity to be inserted into the XML message so that it
can be propagated over a chain of web services.
A typical example would see a user authenticating to the API Gateway Explorer using HTTP digest authentication. After successfully authenticating the user, the API Gateway Explorer inserts a WS-Security UsernameToken into the message and digitally signs it to prevent anyone from tampering with the token.
The following example shows the format of the
<wsse:UsernameToken>
token:
<wsse:UsernameToken wsu:Id="oracle" xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility"> <wsu:Created>2006.01.13T-10:42:43Z</wsu:Created> <wsse:Username>oracle</wsse:Username> <wsse:Nonce EncodingType="UTF-8"> KFIy9LgzhmDPNiqU/B9ZiWKXfEVNvFyn6KWYP+1zVt8= </wsse:Nonce> <wsse:Password Type="wsse:PasswordDigest"> CxWj1OMnYj7dddMnU/DrOhyY3j4= </wsse:Password> </wsse:UsernameToken>
This topic explains how to configure the API Gateway Explorer to insert a WS-Security UsernameToken after successfully authenticating a user.
To configure general settings, complete the following fields:
Name:
Enter an appropriate name for the filter.
Actor:
The UsernameToken is inserted into the WS-Security block identified by the specified SOAP Actor.
To configure the credential details, complete the following fields:
Username:
Enter the name of the user included in the UsernameToken.
By default, the authentication.subject.id
message
attribute is stored, which contains the name of an authenticated user.
Include Nonce:
Select this option if you wish to include a nonce in the UsernameToken. A nonce a random number that is typically used to help prevent replay attacks.
Include Password:
Select this option if you wish to include a password in the UsernameToken.
Password:
If the Include Password check box is selected, the API Gateway Explorer inserts the user's password into the generated WS-Security UsernameToken. It can insert Clear or SHA1 Digest version of the password, depending on which radio button you select. Oracle recommends the digest form of the password to avoid potential eavesdropping.
You can either explicitly enter the password for this user in the
Password field, or use a message attribute by selecting
the Wildcard option, and entering the message attribute
selector in the field provided. The default is
${authentication.subject.password}
, which contains the user
password to authenticate to the API Gateway Explorer.