09-24-2010 1:10 PM
Hi security experts,
I have set up a web service on my ECC with username Token security. Here is my SOAP header :
<soapenv:Header xmlns:bus="xxxxxx">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>myUser</wsse:Username>
<wsse:Password>myPassword</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
-> This is working fine.
As mentionned in the WS-Security standard, we can also use the digest password authentication :
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf
So it seems possible to use it with web service calls on AS ABAP, can someone confirm ?
I have then tried to do so, with the following SOAP header :
<soapenv:Header xmlns:bus="xxxxx">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>myUser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">myHashedPassword</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
-> This is not working, I have a "login failed" error, as if the password was not correct.
I have used the following steps to generate my password :
CALCULATE_HASH_FOR_RAW
then
SCMS_BASE64_ENCODE
as per the following thread :
Has someone a detailed procedure on how I can handle digest passwords in AS ABAP 7.0 ?
Many thanks,
Best regards,
GL
09-25-2010 2:15 PM
Hi,
unfortunately, it looks like it's not supported. First, from this [doco|http://help.sap.com/saphelp_nw70/helpdata/EN/47/23fc6d9a0b2debe10000000a1553f7/frameset.htm] it looks to me that only Java stack supports this option. I looked for corresponding code in ABAP and I found class CL_WS_SECURITY_PROFILE. This class has a method called VERIFY_USERNAME_TOKEN which performs a check of security data passed in SOAP header. From this method you can see that it does not support password digest. Just search for code
* cannot handle digest password
if security_part->username_token-password-type =
CO_TYPE_PASSWORD_DIGEST.
CALL METHOD me->raise_exception
EXPORTING
faultcode = 'FailedAuthentication' "#EC NOTEXT
* detail =
code = tsoap_fc_server
reason_text = 'Password digest not supported'
reason_language = 'E'.
endif.
Cheers
09-25-2010 2:15 PM
Hi,
unfortunately, it looks like it's not supported. First, from this [doco|http://help.sap.com/saphelp_nw70/helpdata/EN/47/23fc6d9a0b2debe10000000a1553f7/frameset.htm] it looks to me that only Java stack supports this option. I looked for corresponding code in ABAP and I found class CL_WS_SECURITY_PROFILE. This class has a method called VERIFY_USERNAME_TOKEN which performs a check of security data passed in SOAP header. From this method you can see that it does not support password digest. Just search for code
* cannot handle digest password
if security_part->username_token-password-type =
CO_TYPE_PASSWORD_DIGEST.
CALL METHOD me->raise_exception
EXPORTING
faultcode = 'FailedAuthentication' "#EC NOTEXT
* detail =
code = tsoap_fc_server
reason_text = 'Password digest not supported'
reason_language = 'E'.
endif.
Cheers
10-04-2010 1:19 PM
Thank you Martin for your answer, I think I will open an OSS message to have a confirmation from SAP but indeed, according to your information, it does not seem possible.
10-08-2010 6:23 PM
How did to you config the proxy, logical port and wss profile.
I have set the proxy to basic authentication. The logical port / operation is assigned to a wss profile, and the profile is a simple username / timestamp.
But I am not able to get the wss security into the xml request.
Regards,
GTE
07-08-2013 7:38 AM
The same here. In the SOA Manager at the logical port I set "Consumer Security" to User ID/Password. At the proxy configuration I set Authentication level to Basic. I did not set up any "Operation specific" at the logical port.
Nothing changed in my SOAP request. Is there a main switch I missed?
We are running NW7.0 EHP1
Thanks for any help,
Jan