WSSE Username Token Authentication

This article is a couple years old, but it covers some stuff I wasn’t aware of: Atom authentication using the WSSE Username Token specification from SOAP. It passed Mark Pilgrim’s “Bob Test” and is a nice solution for the general case where you need to do authentication over HTTP and and both ends know the cleartext password. You’d rather be storing the MD5 hash of a password, but in some cases Bob must compromise.