Security Standards for SOAP Messages

OIPA adheres to the WS-Security standards for the authentication of SOAP messages. The standards, as developed by the OASIS Open committee, can be referenced here:

TUhttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdfUT

TUhttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdfUT

The <wsse:UsernameToken> element is used to include the authentication information. The username and password are specified inside of the <wsse:Username>, and <wsse:Password> elements, respectively.

It is suggested that SSL (Secure Socket Layer) be used as a method of encryption for all SOAP messages.

The optional <wsse:Nonce> element allows for the usage of a nonce as added security. A nonce is a random number, in this case represented in base 64, which is embedded in the security header to aid in preventing old communications from being reused. This number is newly generated for each request on the client side, and is returned along with the SOAP response from OIPA. The <wsu:Created> element must contain the timestamp of the creation time of the nonce.

<soapenv:Header>
    <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Username>username</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">EncryptedPassword</wsse:Password>
            <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">OUtRdmO7dLg/v+0DI04/DA==</wsse:Nonce>
            <wsu:Created>2009-09-28T17:43:02.546Z</wsu:Created>
        </wsse:UsernameToken>
    </wsse:Security>
</soapenv:Header>

By default, starting with the current release, OIPA will not allow web services to be invoked with hashed passwords. To continue using PasswordDigest, the property webservice.allowHashedPassword should be set to Yes. For more details, see the System Properties document available in the current release Documentation Library under Policy Administration Libraries of Oracle Help Center.