Nonce header in WSSE authentication should be base64-encoded

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Execute a WSSE authentication.
2.
3.

What is the expected output? What do you see instead?

Expected output is that the authentication should complete successfully
with status=200. Actual result was 401 because authentication failed.

What version of the product are you using? On what operating system?

0.5.0-py2.5

Please provide any additional information below.

The fix below appeared to solve the problem:

Change:

        headers['X-WSSE'] = 'UsernameToken Username="%s",
PasswordDigest="%s", Nonce="%s", Created="%s"' % (
                self.credentials[0],
                password_digest,
                cnonce,
                iso_now)

to:

        headers['X-WSSE'] = 'UsernameToken Username="%s",
PasswordDigest="%s", Nonce="%s", Created="%s"' % (
                self.credentials[0],
                password_digest,
                base64.encodestring(cnonce).strip(),
                iso_now)

Original issue reported on code.google.com by pauljmac...@gmail.com on 17 Aug 2009 at 5:47

[GoogleCodeExporter]

The nonce is not base64 encoded in WSSE.

Original comment by joe.gregorio@gmail.com on 26 Dec 2009 at 5:15

• Changed state: Invalid

[GoogleCodeExporter]

I suspect the NONCE should be base64 encoded.

Quoting the Oasis document "Web Services Security UsernameToken Profile 1.1
OASIS Standard Specification, 1 February 2006"
(http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-
UsernameTokenProfile.pdf)

lines 254-257:
"/wsse:UsernameToken/wsse:Nonce/@EncodingType
This optional attribute URI specifies the encoding type of the nonce (see the 
definition of <wsse:BinarySecurityToken> for valid values). If this attribute 
isn't 
specified then the default of Base64 encoding is used."

Without the above patch, httplib2 fails to talk to other vendors WSE stacks (eg 
MS 
.net applications.)

Original comment by JulianGRendell on 1 Jan 2010 at 8:16