WS Security on Consumer WSD: PasswordText with Nonce and Created

Hi all,

I want to add a username token to our outgoing SOAP requests containing a username, clear(plaintext) password, nonce, and created date like below:

<wsse:UsernameToken wsu:Id=“UsernameToken”>
wsse:UsernameAdministrator</wsse:Username>
<wsse:Password Type=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText”>manage</wsse:Password>
<wsse:Nonce EncodingType=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary”>+N5aKhsk4nK+mvU6w//HRg==</wsse:Nonce>
wsu:Created2018-10-15T09:10:09.132Z</wsu:Created>
</wsse:UsernameToken>

Is this possible? What I’ve done so far:

  1. Added a port alias to the consumer WSD’s binding to make the username and password configurable.
  2. Played around with policies. I can get a username token with a username and clear password, and I’ve been able to get it to have a username, hashed password digest, nonce, and created. With IS 10.1, is this even possible, given that policies are only supporting up to WSSecurityPolicy 1.2?

Hi Jondric Zafra,

As you mentioned that “I’ve been able to get it to have a username, hashed password digest, nonce, and created.”, we now need to send the same manner, can you please share the policy if we have like this.

Regards,
Ravi.

another quick update, i am using the below pocily file, however i am getting response “Security processing failed (actions mismatch)”, is there any way to track the SOAP header going out from IS apart from TCP/IP monitor which is not showing anything.

<wsp:Policy wsu:Id=“Username_Over_Transport_Digest” Name=“Username Over Transport with Digest”
xmlns:wsp=“http://schemas.xmlsoap.org/ws/2004/09/policy
xmlns:wsu=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”>
wsp:ExactlyOne
wsp:All
<sp:TransportBinding xmlns:sp=“http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702”>
wsp:Policy
sp:TransportToken
wsp:Policy
<sp:HttpsToken RequireClientCertificate=“false” />
</wsp:Policy>
</sp:TransportToken>
sp:AlgorithmSuite
wsp:Policy
sp:Basic256Sha256/
</wsp:Policy>
</sp:AlgorithmSuite>
sp:Layout
wsp:Policy
sp:Strict/
</wsp:Policy>
</sp:Layout>
sp:IncludeTimestamp/
</wsp:Policy>
</sp:TransportBinding>

        <sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
            <wsp:Policy>
                <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient" >
                    <wsp:Policy>
                            <sp:HashPassword/>
                    </wsp:Policy>
            </sp:UsernameToken>
            </wsp:Policy>
        </sp:SignedSupportingTokens>
    </wsp:All>
</wsp:ExactlyOne>

</wsp:Policy>