Hi R Kumar,
The token passing is part of the OASIS WS-Security standard. It details a mechanism for authentication through passing tokens (xml elements) within the header of the soap envelope. The specification for this is available using the URL below (page 7 starts details the the UsernameToken) ---->
OASIS WSS Username Token profile Typically a username token is sent initially to authenticate a user in a SOAP request. Here is an example.
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>Pete</wsse:Username>
<wsse

assword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
od61xScYr9hAukzvz/DQXAtdxAA=</wsse

assword>
<wsse:Nonce>dL9uL5lBBm6eHwblHY4lVg==</wsse:Nonce>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">9VRW1tSrc7175HQ+X2cXLe75</wsse:Nonce>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2004-11-18T10:46:19Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
If authentication is successful, in my case, the external webservice returns a custom token which is appended to the header of future requests.
It seems that some vendors, such as Microsoft in the .Net framework, fully implement the full standard whereas others only implement parts. This microsoft link details the .Net implementation --->
WS-Security Drilldown in Web Services Enhancements 2.0 As per my original post, the latest version of weblogic does not have out-of-the-box functionality to create username tokens with a password digest (only supports plain text passwords).
I'm currently looking into using the Apache Axis libraries to interface with this webservice, based on this source code -->
AXIS-WSSE From my research it seems the apache project '
WSS4J' is aiming to fully implement these token passing standards but is still very much in development. I found very little documentation on WSS4J other than api javadocs.
R Kumar - you mention you've been using the WSS4J libraries. I'm guessing you downloaded the source code and built it yourself? What has your experience been with WSS4J?
Has anyone else implemented the WS-Security token passing mechanism in
Java to communicate with a .Net (or other) web service that implements these standards?
Best Regards,
Pete.
[ February 14, 2005: Message edited by: Pete Tibbster ]
[ February 14, 2005: Message edited by: Pete Tibbster ]