Milos Zikic - Personal site, sharing thoughts about startups, products and engineering

Interacting with WSSE Services from Flex

Connecting to WSSE (Web Service Security Environment) from Flex is a rarely met. Recently I had a requirement to implement backend integration using WSSE UsernameToken Profile. 
If you want to know more about WSSE you can look at the official oasis specifications:

I would cover now just the Username token profile which is the biggest chance that you'll met in your environment.
Username token can use PasswordText or PasswordDigest for authentication and PasswordDigest is created like this:

PasswordDigest = Base64 (SHA1 (Nonce + CreationTimestamp + Password)) (UTF8 Encoded)

SHA1 is not available by default in Flex SDK but hopefully there as3corelib is available (thanks Mike). It contain a method that can encode this for us:

 SHA1.hashToBase64(String)

And now all we have to do is to assemble proper headers to send to our WSSE service call and here is how:


private function callWS(username:String, pass:String, nonce:String, currentDate:Date):void{

authWS.clearHeaders();

// convert date to UTC time
currentDate = DateUtil.getUTCDate(currentDate);

var base64:Base64Encoder = new Base64Encoder();
base64.encode(nonce);

nonce = base64.toString();


var passString:String = nonce+df.format(currentDate)+pass;

var passDigest:String = SHA1.hashToBase64(passString);
var securityQName:QName = new QName(SECEXT_NS, "Security");

var xmlContent:XML = xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
soapenv:mustUnderstand="1"
>

{df.format(currentDate)}


{username}
{passDigest}
{nonce}
{df.format(currentDate)}

;

var securityHeader:SOAPHeader = new SOAPHeader(securityQName,xmlContent);

authWS.addHeader(securityHeader);

var obj:Object = new Object();
obj.param1 = value1;

authWS.getOperation("someOperation").arguments = obj;
authWS.getOperation("someOperation").send();
}



And web service is declared regularly. Here is the example in mxml:

load="authWS_loadHandler(event)"
result="authWS_resultHandler(event)"
fault="authWS_faultHandler(event)"
>




And thats about it. Take note to use SHA1.hashToBase64(String) method to generate your password digest and be sure to always get the UTC time and thats about it.

Happy integration!

Share this post