Evaluate WSS Username Token
If you have a native API that requires to authenticate a client to the Integration Server using the WS-Security authentication, you can use the Evaluate WSS Username Token action to extract the client's credentials (username token and password) from the WS-Security SOAP message header, and verify the client's identity.
This action extracts the username token and password supplied in the message header of the request and locates the client defined by that username token and password. For example, when you have configured this action for an API, the PEP extracts the username token and password from the SOAP header at run time and searches its list of consumers for the client that is defined by the credentials.
To use this action, the following prerequisites must be met:
In
Integration Server, create a keystore and truststore. For detailed information about securing communications with the server, see the
webMethods Integration Server Administrator’s Guide.
In
Integration Server, create an HTTPS port. For detailed information about configuring ports, see the
webMethods Integration Server Administrator’s Guide.
Configure
Mediator by setting the HTTPS Ports Configuration parameter. For detailed information about configuring
Mediator, see
Administering webMethods Mediator.
Mediator rejects requests that do not include the username token and password of an Integration Server user. Mediator only supports clear text passwords with this kind of authentication.
In the case where a client sends a request with transport credentials (HTTP Basic Authentication) and message credentials (WSS Username Token or WSS X.509 Certificate), the message credentials take precedence over the transport credentials when Integration Server determines which credentials it should use for the session.
If Mediator cannot identify the client, Mediator fails the request and generates a Policy Violation event.
Input Parameters
Identify Consumer | (String). The list of consumers against which the username token and password should be validated for identifying requests from a particular client. |
Value | Description |
Do Not Identify | Mediator forwards the request to the native API, without attempting to verify the client's username token in incoming request. |
Global Consumers | (Default). Mediator tries to verify the client's WSS username token against a list of all global consumers available in the Mediator. |
Registered Consumers | Mediator tries to verify the client's WSS username token against the list of consumer applications who are registered as consumers for the specified API. |