Configuration Guides › Policy Configuration Guide › Authentication Schemes › WS‑Security Authentication › Choose a WS‑Security Token Type › Username and Password Digest Token

Username and Password Digest Token

The Username and Password Digest token provides password element confidentiality without requiring channel-level security for the entire document.

The Username token includes a username and password, a cryptographic nonce (a parameter that varies with time) and, optionally, a timestamp. The password is hashed as an SHA1 digest using the nonce, timestamp, and password:

password_digest = SHA1[nonce + timestamp + password]

When a timestamp is included, creating SHA1 password digests provides protection against replay attacks that prevents an eavesdropper from cutting out and replaying the <wsse:UsernameToken> element in a different document at a later time. Also, hashes of the same password along with the same nonce still resolve to different digest values, assuming that the timestamp has been updated.

The Username and Password Digest Token authentication scheme provides protection against replay attacks (where an eavesdropper might cut out and replay the token at a later time) by imposing a limit (60 minutes by default) on the age of the token. That is, if a token was created more than 60 minutes ago according to its <wsu:Created> timestamp, authentication fails.

Note: The Username and Password Digest token is supported only with LDAP and ODBC-based user directories. For LDAP user directories, SOA Security Manager must be configured (using the Credentials and Connection tab in the Policy Server User Interface) to connect to the user store using an LDAP administrative identity if the directory implementation requires such credentials to return the userPassword attribute. For ODBC user directories, a "password" user property must be added to the SQL query scheme used by the directory.

Note: The password storage schemes used by the Username token-generating site must be consistent with the password storage scheme used by the Username token-consuming site. For instance, if the generating site uses SHA-1 password hashes in its user directory, then the consuming site must do the same.