on 04-02-2014 4:49 AM
Hello, experts,
I got the message from here that NW7.0 ABAP STACK can't support usernametoken with digest password.
Does NW7.4 ABAP stack still not support usernametoken with digest password?
or can I custom the method VERIFY_USERNAME_TOKEN in CL_WS_SECURITY_PROFILE to support usernametoken with digest password?
or does sap have any plan to support this security requirement?
Many thanks.
---------------------------------------------------------------
fangzj
This does not appear to have changed:
WS Security UsernameToken - User Authentication and Single Sign-On - SAP Library
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I asked my experts about your question. On the client side we support this. We cannot support digest passwords on the server side. We save passwords in hashed format on the server side. To support digest passwords, the client would either need to send the password in clear text so that the digest can be calculated or the server would have to store the password in clear text, so that the digest password can be calculated. From a security standpoint these are questionable ideas. Either an eavesdropper is picking up the passwords from the traffic or the attacker who breaks the server suddenly has all the passwords in clear text.
You can modify the method VERIFY_USERNAME_TOKEN, but if an upgrade comes along that changes this package, you'll be prompted for a correction import. Then you will either have to skip the upgrade or lose your customization.
-Michael
Hi, Michael,
thanks a million. you are so nice.
Yes, I know the fact that the storage password is in some hash style. but I don't understand why the
as java stack can support the digest password, and the as abap stack can't.
Does the as java stack keep the password in plain text?
-----------------------------------------------
fangzj
User | Count |
---|---|
89 | |
10 | |
9 | |
9 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.