tessl/pypi-zeep
A comprehensive Python SOAP client library for consuming SOAP web services with support for SOAP 1.1/1.2, WSSE authentication, and async operations
wsse-security.mddocs/
WSSE Security
Web Services Security features including username tokens, digital signatures, and authentication mechanisms for secure SOAP communication. Zeep supports WS-Security standards for authentication and message integrity.
Capabilities
Username Token Authentication
WS-Security username token for basic authentication with optional password digest.
class UsernameToken:
def __init__(
self,
username: str,
password: str = None,
password_digest: str = None,
use_digest: bool = False,
nonce: str = None,
created: str = None,
timestamp_token=None,
zulu_timestamp: bool = None,
hash_password: bool = None
):
"""
Create username token for WS-Security authentication.
Parameters:
- username: Username for authentication
- password: Password for authentication (required unless password_digest provided)
- password_digest: Pre-computed password digest
- use_digest: Use password digest instead of plain text (deprecated, use password_digest param)
- nonce: Custom nonce value (auto-generated if not provided)
- created: Custom created timestamp (auto-generated if not provided)
- timestamp_token: Custom timestamp token configuration
- zulu_timestamp: Use 'Z' suffix in timestamps instead of +00:00
- hash_password: Hash password before creating digest (for special services)
"""Digital Signatures
Digital signature support for message integrity and authentication using X.509 certificates.
class Signature:
def __init__(self, key_file: str, cert_file: str):
"""
Create digital signature configuration.
Parameters:
- key_file: Path to private key file (PEM format)
- cert_file: Path to certificate file (PEM format)
"""
class BinarySignature(Signature):
"""
Binary security token signature using X.509 certificates.
Supports embedding certificate directly in SOAP header.
"""
class MemorySignature(Signature):
"""
In-memory signature configuration for certificates loaded from memory.
Alternative to file-based signatures when certificates are in memory.
"""Security Composition
Combine multiple WS-Security elements in a single SOAP request.
class Compose:
def __init__(self, *elements):
"""
Compose multiple WS-Security elements.
Parameters:
- *elements: Security elements to combine (tokens, signatures, etc.)
"""Usage Examples
Username Token Authentication
from zeep import Client
from zeep.wsse import UsernameToken
# Plain text username token
wsse = UsernameToken('myusername', 'mypassword')
client = Client('http://example.com/secure-service.wsdl', wsse=wsse)
# Username token with password digest (more secure)
wsse_digest = UsernameToken('myusername', 'mypassword', use_digest=True)
client = Client('http://example.com/secure-service.wsdl', wsse=wsse_digest)
# Call secured operation
result = client.service.SecureOperation(param='value')Digital Signature Authentication
from zeep import Client
from zeep.wsse import Signature
# Sign requests with X.509 certificate
wsse = Signature(
key_file='/path/to/private-key.pem',
cert_file='/path/to/certificate.pem'
)
client = Client('http://example.com/signed-service.wsdl', wsse=wsse)
result = client.service.SignedOperation(param='value')Binary Security Token
from zeep import Client
from zeep.wsse import BinarySignature
# Use binary security token with embedded certificate
wsse = BinarySignature(
key_file='/path/to/private-key.pem',
cert_file='/path/to/certificate.pem'
)
client = Client('http://example.com/service.wsdl', wsse=wsse)
result = client.service.SecureOperation(param='value')Multiple Security Elements
from zeep import Client
from zeep.wsse import UsernameToken, Signature, Compose
# Combine username token and signature
username_token = UsernameToken('user', 'pass', use_digest=True)
signature = Signature('/path/to/key.pem', '/path/to/cert.pem')
# Compose multiple security elements
wsse = Compose(username_token, signature)
client = Client('http://example.com/multi-secure.wsdl', wsse=wsse)
result = client.service.MultiSecureOperation(param='value')Memory-based Certificates
from zeep import Client
from zeep.wsse import MemorySignature
# Load certificates from memory (useful for deployment scenarios)
private_key_data = load_private_key_from_config()
certificate_data = load_certificate_from_config()
wsse = MemorySignature(private_key_data, certificate_data)
client = Client('http://example.com/service.wsdl', wsse=wsse)Security with Custom Settings
from zeep import Client, Settings
from zeep.wsse import UsernameToken
# Combine security with strict XML settings
settings = Settings(
strict=True,
forbid_dtd=True,
forbid_entities=True,
force_https=True
)
wsse = UsernameToken('secure_user', 'strong_password', use_digest=True)
client = Client(
'https://secure-service.com/service.wsdl',
wsse=wsse,
settings=settings
)
result = client.service.HighSecurityOperation(
sensitive_data='confidential_value'
)Security Best Practices
Password Digest Usage
Always use password digest for username tokens in production:
# Good: Password digest enabled
wsse = UsernameToken('user', 'password', use_digest=True)
# Avoid: Plain text password (only for development)
wsse = UsernameToken('user', 'password', use_digest=False)Certificate Management
Store certificates securely and use appropriate file permissions:
import os
from zeep.wsse import Signature
# Ensure private key has restricted permissions
key_file = '/secure/path/private-key.pem'
os.chmod(key_file, 0o600) # Read only by owner
wsse = Signature(key_file, '/path/to/certificate.pem')HTTPS Enforcement
Always use HTTPS with security elements:
from zeep import Client, Settings
from zeep.wsse import UsernameToken
settings = Settings(force_https=True)
wsse = UsernameToken('user', 'password', use_digest=True)
# This will enforce HTTPS for all connections
client = Client('https://service.com/secure.wsdl', wsse=wsse, settings=settings)Install with Tessl CLI
npx tessl i tessl/pypi-zeep