cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Does NW7.4 ABAP stack still not support usernametoken with digest password?

Go to solution
Former Member

on ‎04-02-2014 4:49 AM

0 Kudos

Hello, experts,

I got the message from here that NW7.0 ABAP STACK can't support usernametoken with digest password.

Does NW7.4 ABAP stack still not support usernametoken with digest password?

or can I custom the method VERIFY_USERNAME_TOKEN in CL_WS_SECURITY_PROFILE to support usernametoken with digest password?


or does sap have any plan to support this security requirement?



Many thanks.

---------------------------------------------------------------

fangzj

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

MichaelShea
Product and Topic Expert
Product and Topic Expert
‎04-02-2014 11:41 AM
0 Kudos

This does not appear to have changed:

WS Security UsernameToken - User Authentication and Single Sign-On - SAP Library

Show replies
Show replies
Former Member
‎04-02-2014 11:57 AM
0 Kudos

Hi, Michael,

It's some pity to hear that. any way, thanks for your reply.

Do you have any idea if we can enhance the soap_security package?

I mean, Can I modify the method VERIFY_USERNAME_TOKEN to support it?

thanks again!

MichaelShea
Product and Topic Expert
Product and Topic Expert
‎04-02-2014 12:10 PM
0 Kudos

I asked my experts about your question. On the client side we support this. We cannot support digest passwords on the server side. We save passwords in hashed format on the server side. To support digest passwords, the client would either need to send the password in clear text so that the digest can be calculated or the server would have to store the password in clear text, so that the digest password can be calculated. From a security standpoint these are questionable ideas. Either an eavesdropper is picking up the passwords from the traffic or the attacker who breaks the server suddenly has all the passwords in clear text.

You can modify the method VERIFY_USERNAME_TOKEN, but if an upgrade comes along that changes this package, you'll be prompted for a correction import. Then you will either have to skip the upgrade or lose your customization.

-Michael

Former Member
‎04-02-2014 12:27 PM
0 Kudos

Hi, Michael,

thanks a million. you are so nice.

Yes, I know the fact that the storage password is in some hash style. but I don't understand why the

as java stack can support the digest password, and the as abap stack can't.

Does the as java stack keep the password in plain text?

-----------------------------------------------

fangzj

MichaelShea
Product and Topic Expert
Product and Topic Expert
‎04-02-2014 12:32 PM
0 Kudos

No they don't keep the pasword in plain text. As I understand it, they chose yet another method, but I do not know what it is. In any case it is a design decision.

Former Member
‎04-02-2014 12:36 PM
0 Kudos

OK.

Thanks again!

Have a nice day!

----------------------------------------------------------

fangzj

Answers (0)

Ask a Question