File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Web Services and the fly likes Wss4J Security question on Username Token Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "Wss4J Security question on Username Token" Watch "Wss4J Security question on Username Token" New topic

Wss4J Security question on Username Token

partha naveen
Ranch Hand

Joined: Jul 17, 2008
Posts: 32

I had a doubt on the following scenario.

There is a set of web services hosted on a Microsoft environment (acting as producers). The access to these web services is primarily based on a two step methodology

Step 1: Use Authentication service by sending relevant username, password details which returns a session token if the user is valid
Step 2. To use any other service the WSDL says that we need to send the session token along with user name by using Username Token security .

I am using WSS4j to enable this. While step 1 goes thru pretty well, I am caught with step 2. I am not sure what all to use for this, i.e do I have to resend the password again or only session token alone will do.

Has anyone encountered a similar situation before? Any help will be great!


Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42959
That depends on how you implement it. If you want to client to send username/password again, then set the other services up to require that. If sending the token is sufficient, then don't have them require username/password.
I agree. Here's the link:
subject: Wss4J Security question on Username Token
It's not a secret anymore!