SOAP Authentication
The purpose of authentication is to verify that the originator of the message is a trusted partner.
This is done by inserting the following tokens in the SOAP message header:
| • | Username Password token (basic authentication) |
| • | X.509 certificates |
| • | Digital signature |
| • | Timestamp token |
Username - Password Token (Basic Authentication)
This form of authentication consists of a a simple XML description of the username the service claims to represent, and optionally, a password. The password can be a plain text password or for better security, a password digest.
<S11:Envelope xmlns:S11="..." xmlns:wsse="...">
<S11:Header>
...
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>Tibco</wsse:Username>
<wsse:Password>secure</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
...
</S11:Header>
...
</S11:Envelope>
Suppose that you specify basic authentication for outflow security (a SOAP request). When the web service call is made, the token is inserted into the SOAP header. The recipient of the request will authenticate the username/password token in the SOAP header, verifying that you are a trusted partner. Similarly if you specify basic authentication for outflow security (SOAP responses), when the response comes in, it must have the specified user/password token or it is rejected.
How to accomplish this with the TIBCO iProcess Web Services Plug-in
Refer to Example 2- Calling an Inbound Web Service Operation Using SOAP/HTTP and Basic Authentication to see how this works in practice.