Authenticating with UsernameToken and Password Digest

One Star

Authenticating with UsernameToken and Password Digest

Hi All,
I am working with Talend ESB version 5.6.1 - as part of a mediation route, I am making a call out to another SOAP web service using a cCXF component. This producer service requires authentication in the form of username tokens with a password digest.
I have checked the box 'Use Authentication' in the component and selected the type as 'UsernameToken' and added the username and password that I have been given to access the service. When I make the web service call, the SOAP headers are being updated with the username and password, but the password is being supplied as 'PasswordText':
<SOAP-ENV:Header xmlnsSmiley FrustratedOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<wsseSmiley Frustratedecurity
 xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<wsse:UsernameToken
 wsu:Id="UsernameToken-43F397AAC44E79C61414776590245701">
<wsse:Username>
***MyUsername***</wsse:Username>
<wsseSmiley Tongueassword
 Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">***PlainText Password ***</wsseSmiley Tongueassword>
</wsse:UsernameToken>
</wsseSmiley Frustratedecurity>


However, I need to be able to specify the password with a type of 'PasswordDigest' which will subsequently hash the password with the nonce and timestamp:
  <soapenv:Header xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">

     
<wsseSmiley Frustratedecurity soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsse:UsernameToken wsu:Id="UsernameToken-3A6A283FDF95E3B9F814776448761251">
           <wsse:Username>
***MyUsername***</wsse:Username>
           <wsseSmiley Tongueassword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
NE+xXdqCKXvYDeIPCGvqOt4KaYq=</wsseSmiley Tongueassword>

           <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
bA0eMKoKjaaPvBMzqLcu6Q==</wsse:Nonce>
           <wsu:Created>
2016-10-28T08:54:36.123Z</wsu:Created>
        </wsse:UsernameToken>
     </wsseSmiley Frustratedecurity>

Has anyone been able to authenticate as the client to another web service using username tokens with a type of PasswordDigest?

Many thanks,

Sam
Employee

Re: Authenticating with UsernameToken and Password Digest

Hi Sam,
Right now, we don't support creating UsernameTokens with digest passwords in the Studio. I've created a JIRA in the past for this feature here:
https://jira.talendforge.org/browse/TESB-16082
I experimented with cProcessor to add the UsernameToken manually, however I wasn't able to get it to work in PAYLOAD mode, as the generated code turns off relay headers. It should be possible though to get it to work for non-PAYLOAD modes if this is an option for you.
Alternatively, it's possible to get it to work when you deploy to the container (but not in the Studio). If you select the UsernameToken authentication in the Studio + then deploy the route to the container, it uses the policy stored in etc/org.talend.esb.job.token.policy to create the security header. If you change the policy to for example:
 <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                <wspSmiley Tongueolicy>
                   <sp:HashPassword/>
                </wspSmiley Tongueolicy>
            </sp:UsernameToken>
Then it will create a UsernameToken with a hashed password.