Web Service Security

Last updated
Save as PDF

Overview

This page describes how authentication for EIP Web Services works.

Web Service Security

Our goal is to provide the same web services security that is provided by the QSP.

Authentication with this web service is done against the QSP.

<?xml version="1.0" encoding="utf-8"?>

<soapenv:Envelope xmlns:ns="http://msg.data.eip.omnitracs.com/1.0" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header>

<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

<wsse:UsernameToken wsu:Id="UsernameToken-6" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wsse:Username>USERNAME@COMPANY</wsse:Username>

<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>

</wsse:UsernameToken>

</wsse:Security>

</soapenv:Header>

... SOAP body goes here ...

</soapenv:Envelope>

The <soapenv:Header> area illustrates the WS-Security header which contains a Username Token element. The username token element contains username and password elements. The username data consists of a string concatenated from the client's company ID, user ID (e.g. UserId@CompanyId). The security header is followed by the SOAP request body which contains the actual web service invocation information.

It's important to note that the SOAP security header is not part of the web service interface and is therefore not defined in its associated WSDL file. Clients will be required to insert properly formatted security headers in each SOAP request. The iWeb server will be configured to enforce this requirement and authenticate the credentials in properly formed security headers. Control will be passed to the actual web service only after an authenticated security context can be established.