Username token

Username token

The <UsernameToken> element propagates a user name and optionally propagates the password information. Use this token type to carry basic authentication information.
Both a user name and a password are used to authenticate the message. A <UsernameToken> element that contains the user name is used in identity assertion. Identity assertion establishes the identity of the user, based on the trust relationship. The following example shows the syntax of the <UsernameToken> element:
<UsernameToken Id="..."> <Username>...</Username> <Password Type="...">...</Password> </UsernameToken>
The Web Services Security specification defines the following password types:

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText (default)

Actual password for the user name.

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest

Digest of the password for the user name. The value is a base64-encoded SHA1 hash value of the UTF8-encoded password.

WebSphere Application Server supports the default PasswordText type. However, it does not support password digest because most user registry security policies do not expose the password to the application software. The following example illustrates the use of the <UsernameToken> element:
<S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <S:Header> ... <wsse:Security> <wsse:UsernameToken> <wsse:Username>Joe</wsse:Username> <wsse:Password>ILoveJava</wsse:Password> </wsse:UsernameToken> </wsse:Security> </S:Header> </S:Envelope>

Nonce, a randomly generated token
Nonce is a randomly generated, cryptographic token used to prevent the theft of user name tokens used with SOAP messages. Nonce is used with the basic authentication (BasicAuth) method.

Related concepts

Binary security token
XML token
Security token

Related information

Default bindings and security runtime properties