Order Management Server Web Service Authentication
A new token-based authentication has been introduced for the Order Management Server order soap web service using JSON Web Token (JWT). The operation FetchAuthenticationToken has been added to fetch the token-based on the existing username and password. This token can be used to invoke other operations of the order service.
To use this form of authentication, the client can keep the password empty and send the fetched token as the username in the SOAP request.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ord="http://www.tibco.com/aff/orderservice" xmlns:aut="http://www.tibco.com/aff/authentication"> <soapenv:Header/> <soapenv:Body> <ord:AuthenticateRequest> <aut:username>admin</aut:username> <aut:password>admin</aut:password> </ord:AuthenticateRequest> </soapenv:Body> </soapenv:Envelope>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <AuthenticateReply xmlns:ns8="http://www.tibco.com/aff/enrichedPlan" xmlns:ns7="http://www.tibco.com/aff/planfragments" xmlns:ns6="http://www.tibco.com/aff/plan" xmlns:ns5="http://www.tibco.com/aff/authentication" xmlns:ns4="http://www.tibco.com/aff/commontypes" xmlns:ns3="http://www.tibco.com/aff/order" xmlns:ns2="http://www.tibco.com/aff/orderservice/result" xmlns="http://www.tibco.com/aff/orderservice"> <ns5:token>eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c3IiOiJhZG1pbiIsImlzcyI6Ik9NUyIsInJscyI6W3siYXV0aG9yaXR5IjoiUk9MRV9BRE1JTiJ9XSwidG50IjoiVDEiLCJleHAiOjE0OTQyMTcyNjAsImlhdCI6MTQ5NDIxMzY2MH0.sW6zyVrPOV4g8hE-dItzriShWiT9XCVcDk0PMopm89g</ns5:token> </AuthenticateReply> </soap:Body> </soap:Envelope>
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken> <wsse:Username>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsIlRFTkFOVElEIjoiVElCQ08iLCJzY29wZSI6WyJyZWFkIiwid3JpdGUiXSwiZXhwIjoxNjA0NDQzODAyLCJhdXRob3JpdGllcyI6WyJST0xFX0FETUlOIl0sImp0aSI6ImRlZjc0Yzg3LWI4NmItNGMwMS05OTdjLTg5MmFjOTI5ZDYxMSIsImNsaWVudF9pZCI6Im9yZGVyLW1hbmFnZW1lbnQtY2xpZW50In0.XuM6XuikCOVbai_m5aN8_ZZJ9XtdWG7__SEwumGkof4</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"/> </wsse:UsernameToken> </wsse:Security>
When security is disabled, the Username field consists of user name and tenant ID separated by '@'.
For example, admin@TIBCO, where admin is the user name and TIBCO is the tenant ID. Security validation does not occur here and the TenantID is extracted from the Username field. If the tenant is not mentioned, the default tenant ID is assumed.
<soap:Header> <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken> <wsse:Username>admin@TIBCO</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password> <wsse:Nonce>WScqanjCEAC4mQoBE07sAQ==</wsse:Nonce> <wsu:Created>2010-05-11T01:24:32Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soap:Header>