HTTP Basic Auth VS WS-Security username token authentication

Basic Authentication is used in HTTP where user name and password will be encoded using base64 encoding mechanism and passed with the request as a HTTP header.

HTTP header section will have “Authorization: Basic dGVzdDp0ZXN0”  header element.

Username and Password will be encoded using base64 mechanism which is used in Authorization header.

base64(username:password) –> base64(admin:admin)

Most of the Webservice clients have option to provide basic auth header. In SOAPUI, at “Authentication” tab, we can provide username and password. If we switch to Raw format(as shown in the above image) of the request, all the HTTP headers are visible and we can see the Basic Auth header is set.

When we use Basic Auth, the username and password setting is on the HTTP headers not in the SOAP message. SOAP message goes with HTTP body.

Securing Webservices using ws-security username token authentication mechanism is a simple mechanism to secure services. It enforces user to provide UsernameToken security header in the SOAP requests.

If we secure a service using user name token option, (that is, ws-security username/password authentication) we should pass ws-security headers as shown in the above image.