FileNet P8 Platform, Version 5.2.1            

Username token credentials

User name and password-based credentials can be passed in a WS-Security header

The Web Services Security Username Token Profile (available from http://docs.oasis-open.org) specifies how user name and password-based credentials can be passed in a WS-Security header. All Web service clients that adhere to this profile should be able to interact with any Web service that implements the profile. The XML <wsse:UsernameToken> and <wsse:PasswordToken> elements are defined, along with rules for how these fields must be used.

When Username tokens are sent in a WS-Security header, a secure, private channel, such as an HTTPS connection, must be used between the client and the server to prevent compromising the client's password. Two types of passwords are defined by this standard: a text password and a password digest. FileNet P8 supports only the text password option.

There are two optional elements that can be included in a Username token as counter measures against replay attacks: the nonce and creation timestamp fields.

  • A nonce is a random value that the sender creates with each request. The server maintains a cache of recent nonces, and will reject any request that arrives with a nonce that has already been seen.
  • The creation timestamp is used by the server to reject requests that are older than some configured time period.

Use of both of these fields is recommended, but not required, for all Web service implementations.

An example of a WS-Security header containing a Username token is shown below (some of the namespace values have been truncated, for the sake of brevity):

<wsse:Security
soap:mustUnderstand="1">
  <wsu:Timestamp
wsu:Id="Timestamp-3290b465-8a4a-4e34-b5da-1e35d80d613b">
    <wsu:Created>2005-11-17T19:24:15Z</wsu:Created>
    <wsu:Expires>2005-11-17T19:29:15Z</wsu:Expires>
  </wsu:Timestamp>
  <wsse:UsernameToken xmlns:wsu="…"
Id="SecurityToken-84353116-ed06-4a1a-b896-19337481c488">
    <wsse:Username> MyUsername
</wsse:Username>
    <wsse:Password
Type="…#PasswordText"> MyPassword
</wsse:Password>
    <wsse:Nonce>QkzWRIL2COP9D4ELX4LyZQ==</wsse:Nonce>
    <wsu:Created>2005-11-17T19:24:15Z</wsu:Created>
  </wsse:UsernameToken>
</wsse:Security>

When a Web service request containing a Username token arrives at a Content Platform Engine Web service, the Web service listener extracts the credentials from the WS-Security header, and uses them to perform a Java Authentication and Authorization Service (JAAS) login using an application-server-specific user name and password Login Module. Once the JAAS login has successfully completed, the FileNet® P8 Web service listener is now in possession of a JAAS Subject, and can pass the call along to Content Platform Engine via the Enterprise Java Beans (EJB) transport.

Parent topic: Web-Services-based client authentication via Ws-Security

Last updated: March 2016
p8psn043.htm

© Copyright IBM Corporation 2017.