This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to validate WS-Security Username Token using JS in Apigee Edge

Posted on 12-20-2017 05:51 AM
leeladuggirala
New Member
Reply posted on --/--/---- --:-- AM

Hi All / @Dino,

Please let me know how to validate WS-Security username token using Javascript in Apigee Edge .

Here password if in digest form.

and let me know what is the best way of doing ws-security validation in apigee?

Thanks,

1 2 843
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Interesting! Previously you asked about adding a WS-Sec Username Token in Apigee Edge.

Now you are asking about validating one.

Yes, you can do that in JavaScript. the logic looks like this: 

var password_token = resolveVariableReference(properties.password_token);
var nonce = resolveVariableReference(properties.nonce);
var created = resolveVariableReference(properties.created);
var username = resolveVariableReference(properties.username);


// 1. check that username is valid
if ( ! validUserName(username)) {
  throw new Error('Invalid username');
}


// 2. check that created time is within allowance
if ( ! withinTimeAllowance(created)) {
  throw new Error('Invalid created stamp on token');
}


// 3. check that nonce has not been previously seen
if ( ! validNonce(nonce)) {
  throw new Error('Invalid nonce in token');
}


// 4. check that the password token is valid given all of the above.
if ( ! validPasswordToken(nonce, created, password_token)) {
  throw new Error('Invalid token');
}

You can use ExtractVariables to get the relevant data out of the inbound soap message.

Attached is a working example, check the README for information on how to use it.

This isn't a real production proxy. For that you would need to actually validate the nonce and also include a better way to validate the user credentials. (Here, they're stored in an AssignMessage policy). You'd also want to include handling of error cases - like what happens when there is no UsernameToken. Or when the passed Created value is not valid. Etc.

apiproxy-validate-ws-sec-header.zip

apiproxy-validate-ws-sec-header.zip

Posted on --/--/---- --:-- AM
veera_penugonda
New Member
In response to DChiesa
Reply posted on --/--/---- --:-- AM
@Dino

We used the code in the attached zip file and tried to compare our Password token. But they do not match. When we tried to debug the below code snippet

function validPasswordToken(nonce, created, providedToken) {
var valid_password = resolveVariableReference(properties.valid_password);
var sha1 = crypto.getSHA1();
sha1.update(nonce + created + valid_password);
var computedToken = sha1.digest64();
return (computedToken == providedToken);

We noticed computed token does not match the input providedToken

Upon further research we doubt whether the below two lines are working as expected.

var sha1 = crypto.getSHA1();
sha1.update(nonce + created + valid_password);

We work on on prem apigee. Can you please let us know if we need to add any libraries for

this to be successful.

Pleae suggest.

Thanks,

Veera

0 Likes