Basic authentication soap header values?

I've been using wsse security. And username and password, could be specified as part of soap header.

<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:UsernameToken wsu:Id="UsernameToken-9419978" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Username>admin</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password></wsse:UsernameToken></wsse:Security> </soapenv:Header>

Now since now i will be using basic authentication, how the SOAP header is going to look like? I'm using JAX-WS from JBoss.

Seems no one encountered this problem?

WS-Security does not use Basic Authentication (which is an HTTP mechanism). WSS username/password authentication looks like what you posted.

If I am not wrong, basic authentication information is sent as part of request header.
Your request header will contain an element as follow "Authorization: Basic bHdzc3J2MXQ6bHdzQGszeTE="

Refer the last section of my post Basic Auth. It will give a code snippet while using Axis client.

I repeat: Basic Authentication is not used with WS-Security. Let's wait for Amandeep to clarify what he meant by that.

Ulf Dittmer wrote:I repeat: Basic Authentication is not used with WS-Security. Let's wait for Amandeep to clarify what he meant by that.

Yes, you are right. Basically I was looking, when using basic authentication how does the soap header looked like. Anyhow I can also try to find out the same information using wireshark.

Amandeep Singh wrote:Basically I was looking, when using basic authentication how does the soap header looked like.

Basic Authentication looks like it always does; Nischit already told you what that is. It has no, I repeat: no, bearance on any SOAP headers which are completely independent on it. Furthermore, there is no point in using both Basic Authentication and WS-Security authentication. So why don't you tell us what you're trying to accomplish? Because it seems like you're doing something that is misguided.

I repeat, I understand there is no point in using wsse and http authentication together.

Basically I was looking, when using basic authentication how does the soap header looked like.

In my context above line makes clear what I am looking for. I'm not sure why you are unable to interpret the above sentence. May be I've Indian English, makes it hard to understand.

Your request header will contain an element as follow "Authorization: Basic bHdzc3J2MXQ6bHdzQGszeTE="

Nischit get it what I meant. Let me dive more.

Assume you are writing a soap request manually not using any library. You know the username password to access web service is this test1/test2. Is it possible by human to write/express username/password in soap message when using basic authentication without using any tool to construct soap message. And here I meant to write soap xml not specifying username/password thru java coding which i know how it can be done. If I assume test1/test2 would be transformed to value "Authorization: Basic bHdzc3J2MXQ6bHdzQGszeTE=" when using http authentication. Then I can say it's only possible using some library. May be here I'm saying more broad meaning by constructing soap message, but meant to write manually only username/password as part of message.

It's possible to do the same above thing when using wsse security. Refer to my first example, you can clear see the username/password in soap header. I repeat, When using basic authentication, how will the username/password look in the soap message.

I don't think it's a language issue. I'm trying to convey that the question you posed does not make sense, as the WS-Security info and the Basic Auth info are independent of one another. When using Basic Auth, the username/password is on the HTTP headers, not in the SOAP (which is in the HTTP body). Therefore, the SOAP is the same, whether you use Basic Auth or not.

It is easy to construct a Basic Auth header: https://coderanch.com/how-to/java/AppletsFaq#authentication

It is certainly possible to construct a SOAP username/password header without the use of any library. Why one would do such a thing, I have no idea. If you look at the SOAP, it's not terribly complicated. The WS-Security spec will tell you for sure what it must contain; it would be part of the SOAP header.

Note that the SOAP header (used by WS-Security) is part of the SOAP, and therefore not part of the HTTP header (which is where Basic Auth info resides), but of the HTTP body.

WS-Security info and the Basic Auth info are independent of one another. When using Basic Auth, the username/password is on the HTTP headers, not in the SOAP (which is in the HTTP body). Therefore, the SOAP is the same, whether you use Basic Auth or not.

Thank you. I believe question was clear, that's how I got your answer now .

If you still think it wasn't clear, would you mind rephrasing the question for me, so I can learn too.

Amandeep Singh wrote:I've been using wsse security. And username and password, could be specified as part of soap header.

<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:UsernameToken wsu:Id="UsernameToken-9419978" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Username>admin</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password></wsse:UsernameToken></wsse:Security> </soapenv:Header>

Now since now i will be using basic authentication, how the SOAP header is going to look like? I'm using JAX-WS from JBoss.

It's answer could have like this example, after i learnt from your post.

When using Basic authentication, username/password is not included as part of a soap message. It is always specified in the http header which is outside soap message.

Http header would like this:

GET /private/index.html HTTP/1.1 Host: localhost Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

So all is clear now?

Yes Sir, thanks