Sample code for 30+ languages & platforms
Pascal (Lazarus/Delphi)

SOAP WS-Security UsernameToken

See more XML Examples

Demonstrates how to add a UsernameToken with the WSS SOAP Message Security header.

Note: This example requires Chilkat v9.5.0.66 or later.

Chilkat Pascal (Lazarus/Delphi) Downloads

Pascal (Lazarus/Delphi)
program ChilkatDemo;

// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.

{$IFDEF FPC}
  {$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}

uses
  {$IFDEF UNIX}
  cthreads,
  {$ENDIF}
  SysUtils,
  CkDllLoader,
  Chilkat.BinData,
  Chilkat.Prng,
  Chilkat.Xml,
  Chilkat.CkDateTime,
  Chilkat.Crypt2;

// ---------------------------------------------------------------------------

procedure RunDemo;
var
  xml: TXml;
  wsse: TXml;
  xHeader: TXml;
  wsu_id: string;
  password: string;
  username: string;
  prng: TPrng;
  bd: TBinData;
  nonce: string;
  dt: TCkDateTime;
  bLocal: Boolean;
  created: string;
  crypt: TCrypt2;
  passwordDigest: string;

begin
  //  This example requires the Chilkat API to have been previously unlocked.
  //  See Global Unlock Sample for sample code.

  //  An HTTP SOAP request is an HTTP request where the SOAP XML composes the body.
  //  This example demonstrates how to add a WS-Security header such as the following:
  //  
  //  <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-6138db82-5a4c-4bf7-915f-af7a10d9ae96">
  //    <wsse:Username>user</wsse:Username>
  //    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">CBb7a2itQDgxVkqYnFtggUxtuqk=</wsse:Password>
  //    <wsse:Nonce>5ABcqPZWb6ImI2E6tob8MQ==</wsse:Nonce>
  //    <wsu:Created>2010-06-08T07:26:50Z</wsu:Created>
  //  </wsse:UsernameToken>
  //  

  //  First build some simple SOAP XML that has some header and body.
  xml := TXml.Create;
  xml.Tag := 'env:Envelope';
  xml.AddAttribute('xmlns:env','http://www.w3.org/2003/05/soap-envelope');
  xml.UpdateAttrAt('env:Header|n:alertcontrol',True,'xmlns:n','http://example.org/alertcontrol');
  xml.UpdateChildContent('env:Header|n:alertcontrol|n:priority','1');
  xml.UpdateChildContent('env:Header|n:alertcontrol|n:expires','2001-06-22T14:00:00-05:00');
  xml.UpdateAttrAt('env:Body|m:alert',True,'xmlns:m','http://example.org/alert');
  xml.UpdateChildContent('env:Body|m:alert|m:msg','Pick up Mary at school at 2pm');
  WriteLn(xml.GetXml());
  WriteLn('----');

  //  The following SOAP XML is built:

  //  	<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
  //  	 <env:Header>
  //  	  <n:alertcontrol xmlns:n="http://example.org/alertcontrol">
  //  	   <n:priority>1</n:priority>
  //  	   <n:expires>2001-06-22T14:00:00-05:00</n:expires>
  //  	  </n:alertcontrol>
  //  	 </env:Header>
  //  	 <env:Body>
  //  	  <m:alert xmlns:m="http://example.org/alert">
  //  	   <m:msg>Pick up Mary at school at 2pm</m:msg>
  //  	  </m:alert>
  //  	 </env:Body>
  //  	</env:Envelope>
  //  

  //  Now build the WSSE XML housing that we'll insert into the above SOAP XML at the end.

  //  	<wsse:Security>
  //  	  <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="WSU_ID">
  //  	    <wsse:Username>USERNAME</wsse:Username>
  //  	    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">PASSWORD_DIGEST</wsse:Password>
  //  	    <wsse:Nonce>NONCE</wsse:Nonce>
  //  	    <wsu:Created>CREATED</wsu:Created>
  //  	  </wsse:UsernameToken>
  //  	</wsse:Security>

  wsse := TXml.Create;
  wsse.Tag := 'wsse:Security';
  wsse.UpdateAttrAt('wsse:UsernameToken',True,'xmlns:wsu','http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd');
  wsse.UpdateAttrAt('wsse:UsernameToken',True,'wsu:Id','WSU_ID');
  wsse.UpdateChildContent('wsse:UsernameToken|wsse:Username','USERNAME');
  wsse.UpdateAttrAt('wsse:UsernameToken|wsse:Password',True,'Type','http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest');
  wsse.UpdateChildContent('wsse:UsernameToken|wsse:Password','PASSWORD_DIGEST');
  wsse.UpdateChildContent('wsse:UsernameToken|wsse:Nonce','NONCE');
  wsse.UpdateChildContent('wsse:UsernameToken|wsu:Created','CREATED');
  WriteLn(wsse.GetXml());
  WriteLn('----');

  //  Insert the wsse:Security XML into the existing SOAP header:
  xHeader := xml.GetChildWithTag('env:Header');
  xHeader.AddChildTree(wsse);
  xHeader.Free;

  //  Now show the SOAP XML with the wsse:Security header added:
  WriteLn(xml.GetXml());
  WriteLn('----');

  //  Now our XML looks like this:
  //  	<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
  //  	    <env:Header>
  //  	        <n:alertcontrol xmlns:n="http://example.org/alertcontrol">
  //  	            <n:priority>1</n:priority>
  //  	            <n:expires>2001-06-22T14:00:00-05:00</n:expires>
  //  	        </n:alertcontrol>
  //  	        <wsse:Security>
  //  	            <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="WSU_ID">
  //  	                <wsse:Username>USERNAME</wsse:Username>
  //  	                <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">PASSWORD_DIGEST</wsse:Password>
  //  	                <wsse:Nonce>NONCE</wsse:Nonce>
  //  	                <wsu:Created>CREATED</wsu:Created>
  //  	            </wsse:UsernameToken>
  //  	        </wsse:Security>
  //  	    </env:Header>
  //  	    <env:Body>
  //  	        <m:alert xmlns:m="http://example.org/alert">
  //  	            <m:msg>Pick up Mary at school at 2pm</m:msg>
  //  	        </m:alert>
  //  	    </env:Body>
  //  	</env:Envelope>
  //  

  //  -----------------------------------------------------
  //  Now let's fill-in-the-blanks with actual information...
  //  -----------------------------------------------------

  wsu_id := 'Example-1';
  wsse.UpdateAttrAt('wsse:UsernameToken',True,'wsu:Id',wsu_id);

  password := 'password';
  username := 'user';
  wsse.UpdateChildContent('wsse:UsernameToken|wsse:Username',username);

  //  The nonce should be 16 random bytes.
  prng := TPrng.Create;
  bd := TBinData.Create;
  //  Generate 16 random bytes into bd.
  //  Note: The GenRandomBd method is added in Chilkat v9.5.0.66
  prng.GenRandomBd(16,bd);

  nonce := bd.GetEncoded('base64');
  wsse.UpdateChildContent('wsse:UsernameToken|wsse:Nonce',nonce);

  //  Get the current date/time in a string with this format: 2010-06-08T07:26:50Z
  dt := TCkDateTime.Create;
  dt.SetFromCurrentSystemTime();
  bLocal := False;
  created := dt.GetAsTimestamp(bLocal);
  wsse.UpdateChildContent('wsse:UsernameToken|wsu:Created',created);

  //  The password digest is calculated like this:
  //  Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )
  bd.AppendString(created,'utf-8');
  bd.AppendString(password,'utf-8');

  crypt := TCrypt2.Create;
  crypt.HashAlgorithm := 'SHA-1';
  crypt.EncodingMode := 'base64';
  //  Note: The HashBdENC method is added in Chilkat v9.5.0.66
  passwordDigest := crypt.HashBdENC(bd);
  wsse.UpdateChildContent('wsse:UsernameToken|wsse:Password',passwordDigest);

  //  Examine the final SOAP XML with WS-Security header added.
  WriteLn(xml.GetXml());


  xml.Free;
  wsse.Free;
  prng.Free;
  bd.Free;
  dt.Free;
  crypt.Free;

end;

// ---------------------------------------------------------------------------

begin

  try
    RunDemo;
  except
    on E: Exception do
      WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
  end;

  WriteLn;
  {$IFDEF MSWINDOWS}
  WriteLn('Press Enter to exit...');
  ReadLn;
  {$ENDIF}
end.