Securing a Proxy Service in WSO2 ESB -1 ( Using Hash passwords In Username Token)

WSO2 ESB is a popular proxy service engine that you can use to proxy the backend services and expose them as SOAP based web services. It provides QoS for proxy services that you can apply WS-Security policies in an easier manner.

There are several pre-defined WS-Security policies in the ESB, that you can apply for proxy services. Also it provides capabilities to apply custom policies as well. Here we are going to apply user name token policy with hash password (By default ESB has user name token policy with default password) in to the WSO2 ESB… Please note that, ESB is by default shipped with JDBC based user store with SHA-256 (with salt) passwords. If you are using SHA-256 passwords, It is not possible to validate the password in the user name tokens. Therefore you need to store password in plain text. (It is not recommend to use plain text password and  I guess it is better to encrypt them and use)

Lets go through step by step….

Step1. Download and Extract fresh distribution of WSO2ESB. You can download from here

Step2. Configure plain text password in the WSO2ESB.  Open user-mgt.xml file which can be found at <ESB_HOME>/repository/conf directory. Please comment following two properties under the org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager  user store configuration.

<Property name="PasswordDigest">SHA-256</Property>
 <Property name="StoreSaltedPassword">true</Property>

Step3. Deploy password callback class that supports for hash password validation. Please copy this jar file into <ESB_HOME>/repository/components/dropins directory. You can fine the source code of this password callback class from here.  You can do any changes that you wish and can build with Maven 3.

Step4. Start the server.

Step5. Login to ESB management console and upload custom policy file in to Registry. You can find the policy file from here. You can upload it using registry browser UI in to the governance or config registry collections


Step6. Create secure proxy.

Please select  Secure Proxy option when creating a proxy.


Create the policy service by pointing to the uploaded policy file.


Now you have create the  secured proxy service. You can invoke this service using SOAP UI.   Please use following parameters to create a user name token with hash password in SOAPUI

Username: admin
Password: admin
WSS-Password Type: PasswordDigest
WSS Time to Live: 2000

If you tract the message,  It would be as following

<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="" xmlns:wsu="">
 <wsu:Timestamp wsu:Id="TS-12">
 <wsse:UsernameToken wsu:Id="UsernameToken-11">
 <wsse:Password Type="">wmIaYa/iWOwcUB52RkqL5IjL/Fw=</wsse:Password>
 <wsse:Nonce EncodingType="">p7fuERBfoyPuHj0HRbSxnA==</wsse:Nonce>
Discuss this article on Stack Overflow


  1. When I commented out the above two lines in the user-mgt.xml, I can not log into the management console ui (using u.n=admin, pw=admin) when the server get started.

  2. After step 3, I start server and got the error below, it is loop permanent, so that I can’t start server.

    [2014-05-25 01:21:30,093] WARN – CarbonServerManager Waiting for required Modul
    e: org.soasecurity.wssecurity.pwcb-1.0.0
    [2014-05-25 01:21:30,094] WARN – CarbonServerManager Carbon initialization is d
    elayed due to the following unsatisfied items:
    [2014-05-25 01:21:30,096] WARN – CarbonServerManager Waiting for required Modul
    e: org.soasecurity.wssecurity.pwcb-1.0.0

    Could you give a suggestion to fix the bug?(I’m using wso2esb-4.7.0)


  3. // (It is not recommend to use plain text password and I guess it is better to encrypt them and use)//

    So is UsernameToken with Hash pwd not used in production and is it not recommended to be used in production?

    1. Yes.. But If you need to use UsernameToken with HTTP, it is recommended use Hash pwd. Then you may need to keep user store password in readable manner.. Yes.. you can use encryption for it.. It depends on when you need the security… But normally it is better to have Hash password in user stores and you need to use HTTPS in transport

  4. Nice Article… Actually im new in wso2..i am getting one issue in wso2 esb proxy when i am creating any proxy its coming on Deployed Services list but on restart of server its not coming on the list .Can you help me please how to get that proxy in deployed services list??
    Thank you

  5. Did you see any errors in the start up logs…? Did you create the proxy service by using the echo axis2 service in the ESB ? Also, once you restart the server, Please go to synapse configurations and update it once and see….

  6. Hi,
    I got the following error when I call the servie

    The security token could not be authenticated or authorized; nested exception is: Check failed : Plain text password

    Manu Mohandas

  7. You can not change the admin username in run time… But password can be changed from the user view UI. If you need to change the username.. you need to configure a new name in user-mgt.xml file.

Leave a Reply

Your email address will not be published. Required fields are marked *