Postman - WSSE authorization header

Postman - WSSE authorization header

January 21, 2021

Introduction #

Some services’ API require authorization based on WSSE header. That means, that server expects X-WSSE header to contain string including username, encoded password, nonce and timestamp - where timestamp is also used as salt. So - since timestamp is involved in it - every request will require different value for this header - it must be calculated on the fly - in the moment when request is made. Running request with same WSSE header 10 seconds later will fail, because timestamp will not match.

Basic structure of this header is:

'UsernameToken Username="{...}}", PasswordDigest="{...}", Created="{...}", Nonce="{...}"' 

How to make such requests in Postman, where header’s value must be calculated dynamically? Since Postman doesn’t offer native support for WSSE headers (yet!) we can use powerful feature - Pre-request script. Postman allows to run some JS script before running actual request. So with this approach, we will use environmental variables in our request, and values of these will be set by this pre-request script.

Github user vrruiz created script to calculate WSSE value in pre-request script. It uses env values for wsse-user and wsse-secret so make sure have that defined in your environment. Make sure you also have key wsse-header defined as empty one. In your requests, you need to add entry in your headers section - to add: Key - X-WSSE - value: {{wsse-header}}. Add this script for your collection (so all requests within this collection would inherit it) - define values for username and secret (as environment variables) - and done!

Postman will execute the script before each request, it will set environmental value for wsse-header to calculated one - and this header will be sent with request.

Resources #

🍺 If you liked this article you might consider buying me a beer? ;)