Thursday, 14 September 2017

HTTP Basic Auth VS WS-Security username token authentication

HTTP Basic Authentication and WS-Security username token authentication both are different authentication mechanism and independent to each other.

Let's go in depth and see how both the mechanism differs

HTTP Basic Authentication 

Basic Authentication is used in HTTP where user name and password will be encoded using base64 encoding mechanism and passed with the request as a HTTP header.

For instance:

HTTP header section will have "Authorization: Basic dGVzdDp0ZXN0"  header element.



Username and Password will be encoded using base64 mechanism which is used in Authorization header.

For example:

base64(username:password) --> base64(admin:admin)

Most of the Webservice clients have option to provide basic auth header. In SOAPUI, at "Authentication" tab, we can provide username and password. If we switch to Raw format(as shown in the above image) of the request, all the HTTP headers are visible and we can see the Basic Auth header is set.

When we use Basic Auth, the username and password setting is on the HTTP headers not in the SOAP message. SOAP message goes with HTTP body.

WS-Security username token

Securing Webservices using ws-security username token authentication mechanism is a simple mechanism to secure services. It enforces user to provide UsernameToken security header in the SOAP requests.


As shown in the above image, the ws-security header is set as part of SOAP message.

If we secure a service using user name token option, (that is, ws-security username/password authentication) we should pass ws-security headers as shown in the above image.




No comments:

Post a Comment