I’ve created a Web Service for our clients and I secured it using a

Question

0

Asked: June 13, 20262026-06-13T00:02:24+00:00 2026-06-13T00:02:24+00:00

I’ve created a Web Service for our clients and I secured it using a

0

I’ve created a Web Service for our clients and I secured it using a username token with PasswordDigest (with timestamp, nonce and encrypted password). One of the client uses a software that does not support PasswordDigest, only plain text username and password.

I feel somewhat uncomfortable with plain-text passwords in the SOAP-Header. But the whole traffic is being secured using HTTPS.

My question: Using HTTPS, is it still secure enough, even if I change the security requirements from PasswordDigest to PasswordText?

My requirements are:

The client has to be authenticated with a user name, because I have to know which client is accessing the Web Service and
Any man-in-the-middle must not see the plain text password in the SOAP header!

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-13T00:02:25+00:00

Editorial Team

2026-06-13T00:02:25+00:00Added an answer on June 13, 2026 at 12:02 am

You may also want to look into the WS-Security extension to SOAP.

As for you question, I wouldn’t be afraid of using clear-text password on HTTPS, but as @Anshu says, make sure your service does not respond on HTTP then! Also, be aware that it is technically possible and often seen that corporate proxies effectively performs MitM “attacks” on HTTPS traffic…

Cheers,

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’ve created a Web Service for our clients and I secured it using a

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply