Layer7 API Management

  • Private Community
Back to discussions
Expand all | Collapse all

Using * Require WS-Security Password Digest Credentials Assertion & Validation of incoming Values (Nonce & Timestamp & passwordDigest)

  • 1.  Using * Require WS-Security Password Digest Credentials Assertion & Validation of incoming Values (Nonce & Timestamp & passwordDigest)

    Posted May 07, 2017 07:45 AM
      |   view attached

    * Require WS-Security Password Digest Credentials Assertion

    Hi All,

    I need to validate the timestamp & nonce with the incoming passwordDigest value, 

    I have found the below formula  Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )

    And I have found a few lines of Java Code to validate these values if they match,

    So shortly if I Want to validate the incoming Nonce & Timestamp & passwordDigest values all together, should I use a customAssertion or is there any way to do it so ?

    I could not find a way to do it,



  • 2.  Re: Using * Require WS-Security Password Digest Credentials Assertion & Validation of incoming Values (Nonce & Timestamp & passwordDigest)
    Best Answer

    Broadcom Employee
    Posted May 07, 2017 12:49 PM

    Good afternoon,

     

    The default behavior of the "Require WS-Security Password Digest Credentials Assertion" does this already so you don't need to build a custom assertion. To test if you remove either the nonce or timestamp from the request it will fail even if you don't have required them in the assertion.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 3.  Re: Using * Require WS-Security Password Digest Credentials Assertion & Validation of incoming Values (Nonce & Timestamp & passwordDigest)

    Posted May 07, 2017 04:56 PM

    Hi Stephen, thanks for the response, in this situation I will just check if the token is expired or not with the defined time interval , 

    That helped a lot,

    Regards

    Onur Fenar,