I'm using a web services framework (download here, documentation here). Actually, I'm currently using version 1.2.0 but that shouldn't make much difference.
The problem I'm having is that when I use this framework to create a web services client, it is calculating a Password Digest differently than the Java framework they are using on the server. The result is that authentication fails although my username and password are correct.
I suspect that my PHP framework may be calculating the password digest incorrectly because the guy who manages the server code told me that the password digest sent by my client framework is what you would get if you left the nonce out when you were hashing everything together.
Here's my PHP code:
$policy = new WSPolicy(
array("security" => array("useUsernameToken" => TRUE,
"includeTimeStamp" => TRUE)));
$securityToken = new WSSecurityToken(array("user" => "myusername",
"password" => "a123456",
"passwordType" => "Digest",
"ttl" => 300));
$client = new WSClient(array("wsdl"=> WSDL_GATEWAY,
"useWSA" => TRUE,
"policy" => $policy,
"securityToken" => $securityToken));
/* code to formulate request here */
$proxy = $client->getProxy();
$returnValue = $proxy->bulkImport(array("requests" => $requests,
"dataSource" => "TaxGold",
"maximumCharge" => 50));
The resulting soap message (with some extra line returns for readability) looks like this:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2008-07-11T21:39:16.292Z</wsu:Created>
<wsu:Expires>2008-07-11T21:44:16.292Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>myusername</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">WaqaaUMq2turGpyIjAztnUF29n8=</wsse:Password>
<wsse:Nonce>AOrgd/SdlpciNTNg/cWQc4V/sdkbcPCB</wsse:Nonce>
<wsu:Created>2008-07-11T21:39:16.422Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ns1:bulkImport xmlns:ns1="http://bulk_import.lookup.servicedomain.com/" xmlns:ns2="NULL">
<ns2:dataSource xmlns:ns2="NULL">TaxGold</ns2:dataSource>
<ns2:maximumCharge xmlns:ns3="NULL">50</ns2:maximumCharge>
</ns1:bulkImport>
</soapenv:Body>
</soapenv:Envelope>
[/code]
As you can see, my client is transmitting a password digest and nonce:
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">WaqaaUMq2turGpyIjAztnUF29n8=</wsse:Password>
<wsse:Nonce>AOrgd/SdlpciNTNg/cWQc4V/sdkbcPCB</wsse:Nonce>
I know that the password digest is supposed to be a hash of the original plaintext password and some other values but I'm not really sure which ones or whether they all exist in this soap message or whether they are something else inferred from the message context somewhere.
Furthermore, the hash does not appear to be md5 because it has slashes and equal signs and non-hexadecimal chars.
I've read a lot of RFC 2617 but it might as well be chinese. What is a 'realm' ?? Those RFCs kill me.
EDIT:
This is making some sense:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf
But I'm still a bit lost about how to see who is right...me or the server. Any recommendations would be helpful.
