We are trying to use the Mobile Number verification on Mobile number update with WSO2 Identity Server (v5.11.0) as per this guide, while the SMS OTP is being sent, it is being sent to the old mobile number.
Example:
User with mobile number 111111
We are sending the request to the SCIM2.0 API https://hostname/scim2/Me to update the mobile number with the following request:
{
"schemas":[
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations":[
{
"op":"replace",
"value":{
"phoneNumbers":[
{
"type":"mobile",
"value":"222222"
}
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{
"verifyMobile":true
}
}
}
]
}
The SMS OTP is being sent to the old mobile number (111111) instead of the new one (222222)
The guide clearly states:
When a user updates their mobile number in the user profile, an SMS OTP is sent to the new mobile number.
Is there another way to configure that functionality, are we missing a step ? or should the request be modified for us to have the correct behavior?
PS: The server is configured as per the guide
Looks like in the sample event publisher, the number to which the SMS is sent is defined as "to"={{mobile}}. This will pick the existing mobile number persisted under the claim http://wso2.org/claims/mobile. Change that value as to"={{send-to}}. Then it will send the SMS to the verification pending mobile number. The updated sample event publisher should be as follows.
<?xml version="1.0" encoding="UTF-8"?>
<eventPublisher name="HTTPOutputEventAdapter" processing="enable"
statistics="disable" trace="disable" xmlns="http://wso2.org/carbon/eventpublisher">
<from streamName="id_gov_sms_notify_stream" version="1.0.0"/>
<mapping customMapping="enable" type="json">
<inline>{"api_key"="xxxxxx",
"api_secret"="xxxxxxxx",
"from"="NEXMO",
"to"={{send-to}},
"text"={{body}}
}</inline>
</mapping>
<to eventAdapterType="http">
<property name="http.client.method">httpPost</property>
<property name="http.url">https://rest.nexmo.com/sms/json</property>
</to>
</eventPublisher>
Related
In order to test this function, I chosed Abnormal Request Count option, which is in Alert Management menu of Api Store, and added a restful api. Then I called this api for many times by Postman.
The carbon.log, which is in <API-M_ANALYTICS_HOME>/wso2/worker/logs, recorded the following error message:
[2020-10-19 11:03:36,094] ERROR {org.wso2.siddhi.core.stream.output.sink.Sink} - Error on 'APIM_ALERT_EMAIL_NOTIFICATION'. Dropping event at Sink 'email' at 'EmailNotificationStream' as its still trying to reconnect!, events dropped '<strong>Message:</strong>A request from a new IP (10.9.16.77) detected by user:admin#carbon.super using application:devMap owned by admin#carbon.super. <br><br> <strong>Type:</strong>UnusualIPAccess <br><br> <strong>AlertTimestamp:</strong>2020-10-19 11:03:35'
[2020-10-19 11:06:10,307] ERROR {org.wso2.siddhi.core.stream.output.sink.Sink} - Error on 'APIM_ALERT_EMAIL_NOTIFICATION'. Dropping event at Sink 'email' at 'EmailNotificationStream' as its still trying to reconnect!, events dropped '<strong>Message:</strong>Abnormal request count detected during last minute using application devMap owned by admin#carbon.super for api :全球风向查询, abnormal request count:9. <br><br> <strong>Type:</strong>AbnormalRequestsPerMin <br><br> <strong>AlertTimestamp:</strong>2020-10-19 11:06:10'
About detailed configuration, I referred the following links:
Configuring Alerts:
https://docs.wso2.com/display/AM260/Configuring+Alerts#ConfiguringAlerts-ConfiguringalertsviatheStore
Enabling Notifications:
https://docs.wso2.com/display/AM260/Enabling+Notifications
According to these documents, I did the following things:
1.Open the <API-M_ANALYTICS_HOME>/conf/worker/deployment.yaml file to configure the sender email address. The sample code is shown below:
siddhi:
extensions:
...
-
extension:
name: email
namespace: sink
properties:
username: abcd#163.com
address: abcd#163.com
password: xxxx
...
2.Go to the <API-M_ANALYTICS_HOME>/resources/apim-analytics/ directory. Copy the APIM_ALERT_EMAIL_NOTIFICATION.siddhi file and paste it in the <API-M_ANALYTICS_HOME>/wso2/worker/deployment/siddhi-files directory.
3.Set the email server configurations in the <API-M_HOME>/repository/conf/output-event-adapters.xml file under the section.
<adapterConfig type="email">
<!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
based authentication rather username/password authentication -->
<property key="mail.smtp.from">abcd#163.com</property>
<property key="mail.smtp.user">abcd</property>
<property key="mail.smtp.password">xxxx</property>
<property key="mail.smtp.host">smtp.163.com</property>
<property key="mail.smtp.port">25</property>
<property key="mail.smtp.starttls.enable">true</property>
<property key="mail.smtp.auth">true</property>
<!-- Thread Pool Related Properties -->
<property key="minThread">8</property>
<property key="maxThread">100</property>
<property key="keepAliveTimeInMillis">20000</property>
<property key="jobQueueSize">10000</property>
</adapterConfig>
4.Log in to the Management Console and click Main > Resource > Browse. Browse to the /_system/config/apimgt/applicationdata/tenant-conf.json file and click Edit as Text.Set the NotificationsEnabled property to true as shown below:
"NotificationsEnabled":"true",
"Notifications":[{
"Type":"new_api_version",
"Notifiers" :[{
"Class":"org.wso2.carbon.apimgt.impl.notification.NewAPIVersionEmailNotifier",
"ClaimsRetrieverImplClass":"org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever",
"Title": "Version $2 of $1 Released",
"Template": " <html> <body> <h3 style=\"color:Black;\">We’re happy to announce the arrival of the next major version $2 of $1 API which is now available in Our API Store.</h3>Click here to Visit WSO2 API Store</body></html>"
}]
}
]
I've also checked APIM_ALERT_EMAIL_NOTIFICATION.siddhi:
#App:name("APIM_ALERT_EMAIL_NOTIFICATION")
#App:description('Send email to all the subscribers of a particular alert')
#source(type="inMemory", topic="APIM_EMAIL_NOTIFICATION", #map(type='passThrough'))
define stream EmailAlertStream (
type string,
message string,
alertTimestamp string,
emails string);
#sink(type='email', content.type="text/html", #map(type ='text', #payload('<strong>Message:</strong>{{message}} <br><br> <strong>Type:</strong>{{type}} <br><br> <strong>AlertTimestamp:</strong>{{alertTimestamp}}')),subject='Alerts from WSO2 APIM Analytics',to='{{emails}}')
define stream EmailNotificationStream (
type string,
message string,
alertTimestamp string,
emails string);
from EmailAlertStream
select *
insert into EmailNotificationStream;
As you can see, there is nothing special.
Have I missed anything to do? I don't know what the problem is, please help me.
As per the exceptions you received. Looks like there are issues with connecting to the SMTP server. Can you please check the configurations and check there are any restrictions to use your email.
ex: in Gmail, you have to enable 'untrusted applications' to access Gmail.
I've found the reason of this problem.
By reading the source code (EmailSink.java), I know the information of SMTP Server should be configured in APIM_ALERT_EMAIL_NOTIFICATION.siddhi, otherwise the analytic server is going to use smtp.gmail.com by default.
I need to know how is it possible to publish statistics via event publisher from Enteprise Integrator to Stream Processor.
I have following implementation of event publisher on my EI
<?xml version="1.0" encoding="UTF-8"?>
<eventPublisher name="MessageFlowStatisticsPublisher"
statistics="enable" trace="enable" xmlns="http://wso2.org/carbon/eventpublisher">
<from streamName="org.wso2.esb.analytics.stream.FlowEntry" version="1.0.0"/>
<mapping customMapping="disable" type="wso2event"/>
<to eventAdapterType="wso2event">
<property name="username">admin</property>
<property name="protocol">thrift</property>
<property name="publishingMode">non-blocking</property>
<property name="publishTimeout">0</property>
<property name="receiverURL">tcp://xxx:7611</property>
<property encrypted="true" name="password">xxx</property>
</to>
</eventPublisher>
On Stream Processor I have simple siddhi app for receive data and print them into log as is shown below
#App:name("FlowEntryApp")
#App:description("Plan of flow entry")
#source(type='wso2event', #map(type = 'wso2event'))
define stream FlowEntry(compressed bool, tenantId int, messageId string, flowData string);
#sink(type='log', prefix='My flowEntry:')
define stream TestOutputFlowEntry(messageId string, flowData string);
#info(name='FlowEntryOutput')
from FlowEntry
select messageId, flowData
group by messageId
insert into TestOutputFlowEntry;
Also I have setted all configuration for publishing statstics as "enable statistic" and "enable trace" for my proxy service. When I invoke my service, eventPublisher send wso2event to SP, this is working correctly. But on the SP side, SP handle error "No StreamDefinition for streamId org.wso2.esb.analytics.stream.FlowEntry:1.0.0 present in cache"
I know, that problem is in siddhi app, that I define stream "FlowEntry" instead of "org.wso2.esb.analytics.stream.FlowEntry" but siddhi language doesn't support characters like '.' in stream name.
So I tried to change stream name on EI site, change streamName in eventPublisher to 'FlowEntry' only, also I changed streamName in json file inside eventstream folder but now when I invoke my service, EI will not send any events to SP.
Have anybody idea how to publish org.wso2.esb.analytics.stream.FlowEntry stream to SP and then processed it by siddhi?
The stream name can be overridden by using wso2.stream.id element in the source annotation.
#source(type='wso2event', wso2.stream.id='org.wso2.esb.analytics.stream.FlowEntry', #map(type = 'wso2event'))<br>
define stream FlowEntry(compressed bool, tenantId int, messageId string, flowData string);
By using the above source definition, 'FlowEntry' can still be used inside the Siddhi App, while in the thrift server stream id will be defined as 'org.wso2.esb.analytics.stream.FlowEntry:1.0.0'.
Best Regards.
I'm very new to SOAP, and this is my first project. I am trying to connect to a HTTPS WSDL in order to pull some information on my webpage.
There is a certificate setup ready for both local server connect with the service provider server. There is a response when I try to connect the https webservice, so I believe there is no connection issue between both server :
Here is the SOAPUI sample given from the third party technical team :
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap="http://soap.ipr.tfp.com/">
<soapenv:Header/>
<soapenv:Body>
<soap:create>
<arg0>
<attribute_1>abc</attribute_1>
<attribute_2></attribute_2>
<attribute_3>abc123</attribute_3>
<attribute_4>abc234</attribute_4>
<attribute_5></attribute_5>
</arg0>
</soap:create>
</soapenv:Body>
</soapenv:Envelope>
Below is my cfm code used to connect the Webservice :
<cfscript>
ws = CreateObject("webservice", [HTTPS URL]?wsdl);
//show web service methods for debugging purposes
writeDump(ws);
// construct arguments
args = {attribute_1="abc"
, attribute_2=""
, attribute_3="abc123"
, attribute_4="abc234"
, attribute_5=""
};
// call the method
result = ws.create(arg0=args);
writeDump(result)
</cfscript>
Issue :
I'm getting below error message when execute my cfm script :
Cannot perform web service invocation create.
The fault returned when invoking the web service operation is:
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server
faultSubcode:
faultString: These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp: Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRY...
Questions :
Is this error related to the SSL certificate setup in the ColdFusion keystore?
Anything wrong with my CFM script? Refer to the SOAPUI sample, the xml format is `[arg0] --> [attribute_1], [attribute_2] and so on. Can I pass the attributes this way?
result = ws.create(arg0=args);
The same service works from SoapUI tool. Am I missing anything here?
Thank you for your time. Your help is appreciated.
2016-05-30 - Update -
I tried to use the CFHTTP tag to submit the XML, but it seemed to return a differenct error:
<cfhttp
url = "[HTTPS URL]?wsdl"
method ="post"
result ="httpResponse"
charset ="utf-8">
<cfhttpparam
type="header"
name="accept-encoding"
value="no-compression"
/>
<cfhttpparam
type="xml"
value="#trim( soapBody )#"
/>
</cfhttp>
Error:
Here is the error message in the file content :
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}
AsymmetricBinding: Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}
X509Token: The received token does not match the token inclusion requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}
X509Token
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}
InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}
RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}
IncludeTimestamp: Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}
SignedParts: {http://schemas.xmlsoap.org/soap/envelope/}
Body not SIGNED
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}
EncryptedParts:
{http://schemas.xmlsoap.org/soap/envelope/}
Body not ENCRYPTED
</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
The error message seems similar to cfobject tag. When I read closely in the error message, it seemed related with the X.509 ws-security encryption where the SOAP content needs to encrypted before send to the Web service request.
After did some research, the encryption flow seem work as below:
Save SOAP content into temp folder.
Used Java Class file to encrypt the SOAP content into X.509 ws-security format.
Sent new encrypted SOAP content to Webservice.
I have no idea how CF works with Java class files. Has anyone done the same encryption conversion before?
In your code to connect to web service, change
ws = CreateObject("webservice", [HTTPS URL]);
to
ws = CreateObject(
"webservice",
"[HTTPS URL]",
{wsversion="1"}
);
in case only Axis 1 works for you.
Also check at the other end, if your using ColdFusion to expose the web service make sure is set up for Axis 1.
I am using Spring 4, with Spring Security 4 to secure web-services. A normal web-service worked fine without security. My secured web-services also seemed to work great working locally and with unit testing.
We are using the SiteMinder example, which means we have authentication happenind from a remote authority. This delivers a token to the browser when we login. We pass the authentication token with a request header, and this is pulled from customerUserDetailsService. That class and methods pull the token from the header, authenticates the user against that remote authority, and we get a username. From that username, we make a DAO call to our database to get the User Details and their Roles, which in the Spring Security Context uses the roles to grant authority. This is all working fine, and we get an authenticated user and we have thier roles/grantedAuthorities.
So, as previously stated, we are now just securing web-services with spring-security.xml to secure the web-services based on the role of the user. Again, this all seemed to work fine with unit testing. We had a token for a user who did not have access to web-sites and we correctly got back a 403 error. When we used a token for a user who did have the right role, was able to execute the web-service.
Now I am trying to deploy this into a new environment, and I am not having much luck.
So, I have a spring-security.xml that looks like:
<http use-expressions="true" auto-config="false" entry-point-ref="http403EntryPoint">
<!-- Additional http configuration omitted -->
<intercept-url pattern="/records/authorizedRecords" access="hasRole('portalUser')" />
<intercept-url pattern="/records/myCode" access="hasRole('portalUser')" />
<intercept-url pattern="/users/email" access="hasRole('appAdmin')" />
<custom-filter position="PRE_AUTH_FILTER" ref="openAmFilter" />
</http>
<beans:bean id="openAmFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<beans:property name="principalRequestHeader" value="openam_token"/>
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="customUserDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="preauthAuthProvider" />
</authentication-manager>
<beans:bean id="customUserDetailsService" class="com.agmednet.server.security.CustomUserDetailsService"></beans:bean>
<beans:bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
When we tried access to:
<intercept-url pattern="/users/email/*" access="hasRole('appAdmin')" />
this did not seem to match:
/rest/users/email/myemail#someemail.com
so I changed it to:
<intercept-url pattern="/rest/users/email/*" access="hasRole('appAdmin')" />
And I get this from the log.
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/rest/trials/integratedtrials'; against '/rest/users/email/*'
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Public object - authentication not attempted
DEBUG: org.springframework.security.web.FilterChainProxy - /rest/trials/integratedTrials reached end of additional filter chain; proceeding with original chain
DEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Chain processed normally
DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
At this point, I know we have an authenticated user, the username, and the roles are listed right there in the logs. We seem to find a matching URL in the spring-security.xml, the URL matches, the roles match, and now I feel we should be executing the logic behind the web-service, but I get an error message:
Apache Tomcat/8.0.30 - Error report
/services/rest/users/email/myemail#someemail.com
The requested resource is not available.
I am absolutely floored here .... unsecured web-services work great. I have to be missing something? Is it with the word "rest" in the URL? Web-services have always worked when they were unsecured. I added security and add unit tests to test this all out, and now I am unsure of what happened?
The problem is that I am an idiot!!!!
In the /WEB-INF/web.xml file I had this defined:
<servlet-mapping>
<servlet-name>springmvc</servlet-name>
<url-pattern>/api/*</url-pattern>
</servlet-mapping>
I suppose that is why when I call any RESTful web-services with:
/rest/users/email/myemail#someemail.com
it doesn't work.
But when I use:
/api/users/email/myemail#someemail.com
now it works.
Conclusion: I am an idiot!!!
I'm trying to authenticate a SOAP request using WS-UsernameToken spec, but the target device is always denying access. My non-working request looks like this. (The password I'm trying to hash is system.)
<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="http://www.w3.org/2003/05/soap-envelope">
<Header>
<Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>root</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">EVpXS/7yc/vDo+ZyIg+cc0fWdMA=</Password>
<Nonce>tKUH8ab3Rokm4t6IAlgcdg9yaEw=</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2010-08-10T10:52:42Z</Created>
</UsernameToken>
</Security>
</Header>
<Body>
<SomeRequest xmlns="http://example.ns.com/foo/bar" />
</Body>
</Envelope>
What I'm looking for is a similar request example, but with authentication token that actually works. For example if you have gSOAP application that uses these token, and can generate a request and post the result here, I'd be very grateful.
The core thing is to define prefixes for namespaces and use them to fortify each and every tag - you are mixing 3 namespaces and that just doesn't fly by trying to hack defaults. It's also good to use exactly the prefixes used in the standard doc - just in case that the other side get a little sloppy.
Last but not least, it's much better to use default types for fields whenever you can - so for password you have to list the type, for the Nonce it's already Base64.
Make sure that you check that the generated token is correct before you send it via XML and don't forget that the content of wsse:Password is Base64( SHA-1 (nonce + created + password) ) and date-time in wsu:Created can easily mess you up. So once you fix prefixes and namespaces and verify that yout SHA-1 work fine without XML (just imagine you are validating the request and do the server side of SHA-1 calculation) you can also do a truial wihtout Created and even without Nonce. Oh and Nonce can have different encodings so if you really want to force another encoding you'll have to look further into wsu namespace.
<S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu= "...">
<S11:Header>
...
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>NNK</wsse:Username>
<wsse:Password Type="...#PasswordDigest">weYI3nXd8LjMNVksCKFV8t3rgHh3Rw==</wsse:Password>
<wsse:Nonce>WScqanjCEAC4mQoBE07sAQ==</wsse:Nonce>
<wsu:Created>2003-07-16T01:24:32</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
...
</S11:Header>
...
</S11:Envelope>
The Hash Password Support and Token Assertion Parameters in Metro 1.2 explains very nicely what a UsernameToken with Digest Password looks like:
Digest Password Support
The WSS 1.1 Username Token
Profile allows digest passwords to
be sent in a wsse:UsernameToken of a
SOAP message. Two more optional
elements are included in the
wsse:UsernameToken in this case:
wsse:Nonce and wsse:Created. A
nonce is a random value that the
sender creates to include in each
UsernameToken that it sends. A
creation time is added to combine
nonces to a "freshness" time period.
The Password Digest in this case is
calculated as:
Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )
This is how a UsernameToken with
Digest Password looks like:
<wsse:UsernameToken wsu:Id="uuid_faf0159a-6b13-4139-a6da-cb7b4100c10c">
<wsse:Username>Alice</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">6S3P2EWNP3lQf+9VC3emNoT57oQ=</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">YF6j8V/CAqi+1nRsGLRbuZhi</wsse:Nonce>
<wsu:Created>2008-04-28T10:02:11Z</wsu:Created>
</wsse:UsernameToken>
Check this one (Password should be password):
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-6138db82-5a4c-4bf7-915f-af7a10d9ae96">
<wsse:Username>user</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">CBb7a2itQDgxVkqYnFtggUxtuqk=</wsse:Password>
<wsse:Nonce>5ABcqPZWb6ImI2E6tob8MQ==</wsse:Nonce>
<wsu:Created>2010-06-08T07:26:50Z</wsu:Created>
</wsse:UsernameToken>
May be this post (Secure Metro JAX-WS UsernameToken Web Service with Signature, Encryption and TLS (SSL)) provides more insight. As they mentioned "Remember, unless password text or digested password is sent on a secured channel or the token is encrypted, neither password digest nor cleartext password offers no real additional security. "