• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to secure password in Basic Authentication

 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'am using IBM WAS 6.0 and have enabled Basic authentication.But the problem is that the password is sent in clear text in soap headers.Although i have also tried using Basic Authentication Over SSL(which works), but is it possible to send encrypted password in basic authentication itself ?
If yes then how do we go for it ?
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Basic Authentication always send the password in cleartext.

But since you mention SOAP, the proper way to secure that is to use WS-Security, which provides authentication (with digested passwords instead of cleartext passwords) and encryption. So there's no need to use either Basic Authentication or SSL.
 
Tanuj Kothiyal
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'am using basic authentication of ws-security only, the problem is that i'am unable to fing Digest Password option in WAS 6.0. (any link regarding the same will be a great help)
I have also explored other options like XML Digital signature and encryption(and got them working) but these all involve creating self certificates or use the default ones provided by IBM, which certainly is not the right choice for production environment.
What i require is implementation of simple security like ws - basic authentication in which either i get a Digest password or i'am able to encrypt the password before adding them to soap headers(may be programmatically, if possible)

any help will greatly be appreciated...
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
XML Signature and XML Encryption are used internally by WS-Security; if you use that, then there's no need to use the underlying XML standards directly.

This post shows how digest authentication is configured in general, but also indicates that there may be (or may have been) a bug in WebLogic regarding that.
 
Tanuj Kothiyal
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for your reply Ulf....
I'll look out if i can find the digest password option for IBM WAS 6.0 or any other way round.
reply
    Bookmark Topic Watch Topic
  • New Topic