You can use the UsernameToken to propagate a user name and, optionally, password information. Also, you can use this token type to carry basic authentication information. Both a user name and password are used to authenticate the message. A UsernameToken containing the user name is used in identity assertion, which establishes the identity of the user based on the trust relationship.
The following example shows the the syntax of the UsernameToken element:
<UsernameToken Id="..."> <Username>...</Username> <Password Type="...">...</Password> </UsernameToken>
The Web services security specification defines the following password types:
wsse:PasswordText
(Default) This type is the actual password for the user name. WebSphere Application Server - Express supports this type.
wsse:PasswordDigest
This type is the digest of the password for the user name. The value is a base64-encoded SHA1 hash value of the UTF8-encoded password. WebSphere Application Server - Express does not support password digest because most user registry security policies do not expose the password to the application software.
The following example illustrates the use of the <UsernameToken> element:
<S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext">
<S:Header>
...
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>Joe</wsse:Username>
<wsse:Password>ILoveJava</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
...
</S:Header>
...
</S:Envelope>
The password is transmitted in unencrypted text. Therefore, it is recommended that you use a secure transmission channel between the sender and receiver. For example, you might consider using Secure Sockets Layer (SSL).