!The SOAP Security Header Element

The [WS-BPEL specification|http://docs.oasis-open.org/wsbpel/2.0/CS01/wsbpel-v2.0-CS01.html] recommends the use of WS-Security to secure workflows.\\

Alfresco implements the UsernameToken Profile of the [WS-I Basic Security Profile 1.0|http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html].  A SOAP message is given below showing a UsernameToken security header.  There are four principal elements: {{Created }}and {{Expires }}timestamps, a {{Username }}and a {{Password}}.\\

The {{Username}} corresponds to the name of the Alfresco administration account used to retrieve the security ticket from the Authentication Service and the Password is the corresponding {{Ticket}} string.\\

The timestamps define the Time To Live (TTL) for the ticket. In this case any Web service request reaching Alfresco more than 5 minutes after the issue of the security ticket will result in an exception being thrown.  The maximum permissible TTL is set programatically using the {{WSHandlerConstants.TTL_TIMESTAMP}} constant.  Presumably it is pointless to set an {{Expires }}timestamp later in time than {{Created }} by an amount greater than the {{WSHandlerConstants.TTL_TIMESTAMP}} which defaults to 5 minutes. \\

{{{
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" 
              xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <env:Header>
        <Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
                       ans1:Id="" 
                       xmlns:ans1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
                       xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	        <ans1:Created>2007-08-01T12:13:37+01:00</ans1:Created>
		<ans1:Expires>2007-08-01T12:18:37+01:00</ans1:Expires>
            </Timestamp>
	    <UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
                           xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	        <Username>admin</Username>
		<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">TICKET_de9b08df-4017-11dc-8ec5-41f7efb0a5f7</Password>
	    </UsernameToken>
	</Security>
    </env:Header>
    <env:Body>
        
    ....

    </env:Body>
</env:Envelope>
}}}