> By outputting the EncodingType like above, we are wasting > bandwidth by outputting redundant information, but it is completely valid.
It may be a waste of bandwidth, but the Basic Security Profile spec requires it: http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html#UsernameTokenNonce "R4220 Any NONCE MUST specify an EncodingType attribute. " > Thanks for the response Daniel, but how can I told WSS4JOutInterceptor not to > use Base64 encoding for the 'Nonce'? No, only Base64 encoding is supported. Colm. On Wed, Dec 1, 2010 at 8:11 PM, Daniel Kulp <[email protected]> wrote: > On Wednesday 01 December 2010 2:52:12 pm FelipeGC wrote: >> Hi all! >> >> I'm writing a client application that needs to authenticate in the server >> using WSS Username Token Profile. The password must be encrypted unsing the >> password digest as described in the specification: Base64 ( SHA-1 ( nonce + >> created + password ) ). >> >> For that purpose I'm using the WSS4JOutInterceptor as follows: >> >> Map<String, Object> outProps = new HashMap<String, Object>(); >> String username = "aUsername"; >> String password = "aPassword"; >> outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN); >> outProps.put(WSHandlerConstants.USER, username); >> outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_DIGEST); >> outProps.put(WSHandlerConstants.PW_CALLBACK_REF, new >> ClientPasswordCallbackHandler(username, password)); >> WSS4JOutInterceptor wssInterceptor = new WSS4JOutInterceptor(outProps); >> >> The resulting XML is being created with the elements: 'Username', >> 'Password', 'Nonce' and 'Created'. The 'Nonce' is beign created like this: >> >> <wsse:Nonce >> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap- >> message-security-1.0#Base64Binary">kG8i5U4s1I6AbolCG/AYkw==</wsse:Nonce> >> >> As I undertand this is right, but the server is not authenticating my >> request. The guys responsible for the server said that the 'Nonce' must not >> be encoded in Base64 and that encoding is optional. This is right? > > If you look at the UsernameToken profile specification: > http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf > Line 249 clearly states that it IS optional, but if unspecified, the default > is Base64. By outputting the EncodingType like above, we are wasting > bandwidth by outputting redundant information, but it is completely valid. > Thus, they are wrong. Base64 is the correct encoding for it. > > > Dan > > >> >> What I want to know is: there's any other way to send the 'Nonce' using >> another encoding other than Base64? >> >> Thanks, >> FelipeGC > > -- > Daniel Kulp > [email protected] > http://dankulp.com/blog >
