WS-Security UsernameToken Profile

This article or the following section is not adequately provided with supporting documents ( e.g. individual evidence ). Information without sufficient evidence could be removed soon. Please help Wikipedia by researching the information and including good evidence.

The WS-Security UsernameToken Profile is a standard of the World Wide Web Consortium W3C in the context of the WS- * specifications. This web service (WS) describes an authentication procedure or profile for creating a token with access to the interface according to WS-Security . It is a communication protocol to take into account the security aspects of web services.

On March 15, 2004, version 1.0 of the standard of the Organization for the Advancement of Structured Information Standards (OASIS) was published. The current version 1.1 followed on February 1, 2006.

Basically, it describes how a web service consumer receives a "security token" from a "security token service" based on the user name. The password can be transmitted in plain text or encrypted. A security context provides a shared secret with which messages are signed and encrypted, also compare with Transport Layer Security (SSL).

An example with the network protocol for SOAP - "Header Simple Object Access Protocol" looks like this:

<wsse:Security>
  <wsse:UsernameToken wsu:Id="Example-1">
    <wsse:Username>Zoe_test</wsse:Username>
    <wsse:Password Type="http://oasis-open.org">love$Dogs </wsse:Password>
    <wsse:Nonce EncodingType="UTF8">gXsJgA6vV </wsse:Nonce>
    <wsu:Created>2003-07-16T01:24:32Z</wsu:Created>
  </wsse:UsernameToken>
</wsse:Security>

The details of the specification can be found there.

Specifications

Additional and alternative profiles are described in the WS-Security specification:

• WS-Security

Web links

• Web Services Security UsernameToken Profile 1.1 (PDF)