On Wednesday 01 December 2010 2:52:12 pm FelipeGC wrote: > Hi all! > > I'm writing a client application that needs to authenticate in the server > using WSS Username Token Profile. The password must be encrypted unsing the > password digest as described in the specification: Base64 ( SHA-1 ( nonce + > created + password ) ). > > For that purpose I'm using the WSS4JOutInterceptor as follows: > > Map<String, Object> outProps = new HashMap<String, Object>(); > String username = "aUsername"; > String password = "aPassword"; > outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN); > outProps.put(WSHandlerConstants.USER, username); > outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_DIGEST); > outProps.put(WSHandlerConstants.PW_CALLBACK_REF, new > ClientPasswordCallbackHandler(username, password)); > WSS4JOutInterceptor wssInterceptor = new WSS4JOutInterceptor(outProps); > > The resulting XML is being created with the elements: 'Username', > 'Password', 'Nonce' and 'Created'. The 'Nonce' is beign created like this: > > <wsse:Nonce > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap- > message-security-1.0#Base64Binary">kG8i5U4s1I6AbolCG/AYkw==</wsse:Nonce> > > As I undertand this is right, but the server is not authenticating my > request. The guys responsible for the server said that the 'Nonce' must not > be encoded in Base64 and that encoding is optional. This is right?
If you look at the UsernameToken profile specification: http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf Line 249 clearly states that it IS optional, but if unspecified, the default is Base64. By outputting the EncodingType like above, we are wasting bandwidth by outputting redundant information, but it is completely valid. Thus, they are wrong. Base64 is the correct encoding for it. Dan > > What I want to know is: there's any other way to send the 'Nonce' using > another encoding other than Base64? > > Thanks, > FelipeGC -- Daniel Kulp [email protected] http://dankulp.com/blog
