Amsetwiki: Web Service Security http://socket3.leeds.ac.uk:8080/amsetwiki/ Wiki for JISC AMSeT Project en-us JSPWiki 2.8.1 http://socket3.leeds.ac.uk:8080/amsetwiki/Wiki.jsp?page=Web%20Service%20Security&version=-1 Web Service Security, version -1 clayton created this page on Wed May 13 21:12:10 BST 2009:<br /><hr /><br /><h4 id="section-Web+Service+Security-TheSOAPSecurityHeaderElement">The SOAP Security Header Element<a class="hashlink" href="#section-Web+Service+Security-TheSOAPSecurityHeaderElement">#</a></h4> <p>The <a class="external" href="http://docs.oasis-open.org/wsbpel/2.0/CS01/wsbpel-v2.0-CS01.html">WS-BPEL specification</a><img class="outlink" src="/amsetwiki/images/out.png" alt="" /> recommends the use of WS-Security to secure workflows.<br /> </p> <p>Alfresco implements the UsernameToken Profile of the <a class="external" href="http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html">WS-I Basic Security Profile 1.0</a><img class="outlink" src="/amsetwiki/images/out.png" alt="" />. A SOAP message is given below showing a UsernameToken security header. There are four principal elements: <tt>Created </tt>and <tt>Expires </tt>timestamps, a <tt>Username </tt>and a <tt>Password</tt>.<br /> </p> <p>The <tt>Username</tt> corresponds to the name of the Alfresco administration account used to retrieve the security ticket from the Authentication Service and the Password is the corresponding <tt>Ticket</tt> string.<br /> </p> <p>The timestamps define the Time To Live (TTL) for the ticket. In this case any Web service request reaching Alfresco more than 5 minutes after the issue of the security ticket will result in an exception being thrown. The maximum permissible TTL is set programatically using the <tt>WSHandlerConstants.TTL_TIMESTAMP</tt> constant. Presumably it is pointless to set an <tt>Expires </tt>timestamp later in time than <tt>Created </tt> by an amount greater than the <tt>WSHandlerConstants.TTL_TIMESTAMP</tt> which defaults to 5 minutes. <br /> </p> <pre> &lt;env:Envelope xmlns:env=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;&gt; &lt;env:Header&gt; &lt;Security xmlns=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot;&gt; &lt;Timestamp xmlns=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot; ans1:Id=&quot;&quot; xmlns:ans1=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot; xmlns:ns1=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot;&gt; &lt;ans1:Created&gt;2007-08-01T12:13:37+01:00&lt;/ans1:Created&gt; &lt;ans1:Expires&gt;2007-08-01T12:18:37+01:00&lt;/ans1:Expires&gt; &lt;/Timestamp&gt; &lt;UsernameToken xmlns:wsse=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot; xmlns:wsu=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot;&gt; &lt;Username&gt;admin&lt;/Username&gt; &lt;Password Type=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText&quot;&gt;TICKET_de9b08df-4017-11dc-8ec5-41f7efb0a5f7&lt;/Password&gt; &lt;/UsernameToken&gt; &lt;/Security&gt; &lt;/env:Header&gt; &lt;env:Body&gt; .... &lt;/env:Body&gt; &lt;/env:Envelope&gt; </pre> <p /> <p /> Wed, 13 May 2009 20:12:10 GMT