Hi there,

i am experimenting with the WSSecurityToken "Username". As far as i've understood the OASIS-specification for this token (oasis-200401-wss-username-token-profile-1.0.pdf [1]), it provides secure user-authentification. It's more or less "safe" against replay-attacks if used with the timestamp and ttl option and if some recommendations are follwed.

1.  It is RECOMMENDED that web service producers reject any UsernameToken not
using both nonce and creation timestamps.
2.  It is RECOMMENDED that web service producers provide a timestamp “freshness” 
limitation, and that any UsernameToken with “stale” timestamps be rejected.  As a 
guideline, a value of five minutes can be used as a minimum to detect, and thus 
reject, replays.   125
3.  It is RECOMMENDED that used nonces be cached for a period at least as long as 
the timestamp freshness limitation period, above, and that UsernameToken with 
nonces that have already been used (and are thus in the cache) be rejected.

Does WSO2 implement this recommendations?

Another question related to the WSSecurityToken "Username":

Is it possible to extract the username from the Usernametoken and use it for authorization.

e.g. user "Tom" authenticated himself by UsernametToken and is allowed to access the method "addUser", but user "Sam" isn't allowed to access the method "addUser". Is it possible to restrict the access to some methods by Username (while using the information provided by the UsernameToken)?