web-servicessecuritypasswordsws-securitywss4j

What is the alternate to PasswordDigest when clear text password is not stored on the web-service producer?


Scenario:

Web-service producer have only SHA-1 hash of passwords stored in database. We need to authenticate Web-service users using User Name/Password combination.


Web Services Security UsernameToken Profile allows us to add soap headers for this purpose:

The element is introduced in the WSS: SOAP Message Security documents as a way of providing a username.

Within element, a element may be specified. Passwords of type PasswordText and PasswordDigest are not limited to actual passwords, although this is a common case. (146-151)

PasswordText password type means that password is sent over the wire as plain text which is a security issue if we are not using Transport Level Security mechanisms. PasswordDigest avoids sending plain text passwords and sends a hash. But to avoid replay attack (i-e attacker using wiretap to capture the hashed password and resend it with another request) the PasswordDigest adds a timestamp and a random number to password before computing the hash. This addition results in following restriction:

Note that PasswordDigest can only be used if the plain text password (or password equivalent) is available to both the requestor and the recipient. (196-197)


But in our case we do not have plain text password. My question is: what alternates do we have other that to make plain text passwords available on the server?


Solution

  • The SHA-1 can be perfectly used as a "plaintext" password.