Password Digest Validation Program

A Java program, WsuPasswordDigestValidation.java, is provided in this tutorial to demonstrate how the WSU Password Digest value is calculated. It can also be used to manually valid any WSS request that uses the Username Token.

In order to demonstrate the WSU Password Digest generation process, I wrote the following Java program, WsuPasswordDigestValidation.java. It contains 3 sets of input examples.

/* WsuPasswordDigestValidation.java
 - Copyright (c) 2015, HerongYang.com, All Rights Reserved.
 */
import java.util.Base64;
import java.io.ByteArrayOutputStream;
import java.security.MessageDigest;
public class WsuPasswordDigestValidation {
   public static void main(String[] args) {
      String pwd;
      String created;
      String nonce;
      String passwordDigest;

      System.out.println();
      System.out.println("Test example 1");
      pwd = "iLoveDogs";
      created = "2014-06-21T12:43:21.791Z";
      nonce = "0TBQcVnd9H4uGi1jGxqJWg==";
      passwordDigest = "SjUQn7b8qSr5x4WOg9YLieSe2to=";
      verify(nonce, created, pwd, passwordDigest);

      System.out.println();
      System.out.println("Test example 2");
      pwd = "iLoveDogs";
      created = "2014-06-21T12:43:21.791Z";
      nonce = "0TBQcVnd9H4uGi1jGxqJWg==";
      passwordDigest = "PfZyE8nQQR2rAsODn7iVGaf8hD8=";
      verify(nonce, created, pwd, passwordDigest);

      System.out.println();
      System.out.println("Test example 3");
      pwd = "iLoveDogs";
      created = "2014-07-24T02:30:11.010Z";
      nonce = "v7FxYg7FZGsHbuFtIVWhCA==";
      passwordDigest = "JPyw/4MeEoEGmR9sOcBqzjGZc6U=";
      verify(nonce, created, pwd, passwordDigest);
   }

   public static void verify(String nonce, String created, 
      String pwd, String passwordDigest) {
      try {
         byte[] nonceBytes = Base64.getDecoder().decode(nonce);
         byte[] createdBytes = created.getBytes("UTF-8");
         byte[] passwordBytes = pwd.getBytes("UTF-8");      
         ByteArrayOutputStream outputStream = 
            new ByteArrayOutputStream( );
         outputStream.write(nonceBytes);
         outputStream.write(createdBytes);
         outputStream.write(passwordBytes);
         byte[] concatenatedBytes = outputStream.toByteArray();
         MessageDigest digest = MessageDigest.getInstance( "SHA-1" );
         digest.update(concatenatedBytes, 0, concatenatedBytes.length);
         byte[] digestBytes = digest.digest();            
         String digestString = Base64.getEncoder().encodeToString(digestBytes);

         String result = "";
         if (digestString.equals(passwordDigest)) {
            result = "valid";
         } else {
            result = "invalid";
         }
         System.out.println("Provided password digest is: "+result);
         System.out.println("   Nonce: "+nonce);
         System.out.println("   Timestamp: "+created);
         System.out.println("   Password: "+pwd);
         System.out.println("   Computed digest: "+digestString);
         System.out.println("   Provided digest: "+passwordDigest);
      } catch (Exception e) {
         e.printStackTrace();
      }
   }
}

Compiling and running WsuPasswordDigestValidation.java requires JDK 1.8, because java.util.Base64 class is used. Here is the execution output:

Test example 1
Provided password digest is: invalid
   Nonce: 0TBQcVnd9H4uGi1jGxqJWg==
   Timestamp: 2014-06-21T12:43:21.791Z
   Password: iLoveDogs
   Computed digest: PfZyE8nQQR2rAsODn7iVGaf8hD8=
   Provided digest: SjUQn7b8qSr5x4WOg9YLieSe2to=

Test example 2
Provided password digest is: valid
   Nonce: 0TBQcVnd9H4uGi1jGxqJWg==
   Timestamp: 2014-06-21T12:43:21.791Z
   Password: iLoveDogs
   Computed digest: PfZyE8nQQR2rAsODn7iVGaf8hD8=
   Provided digest: PfZyE8nQQR2rAsODn7iVGaf8hD8=

Test example 3
Provided password digest is: valid
   Nonce: v7FxYg7FZGsHbuFtIVWhCA==
   Timestamp: 2014-07-24T02:30:11.010Z
   Password: iLoveDogs
   Computed digest: JPyw/4MeEoEGmR9sOcBqzjGZc6U=
   Provided digest: JPyw/4MeEoEGmR9sOcBqzjGZc6U=

You can also modify WsuPasswordDigestValidation.java to validate any WSU request you received by changing input values.

Last update: 2015.

Table of Contents

 About This Book

 Introduction to Web Service

 Introduction to SOAP (Simple Object Access Protocol)

 SOAP Message Structure

 SOAP Message Transmission and Processing

 SOAP Data Model

 SOAP Encoding

 SOAP RPC Presentation

 SOAP Properties Model

 SOAP Message Exchange Patterns

 SOAP HTTP Binding

 SOAP Perl Implementations

 SOAP PHP Implementations

 SOAP Java Implementations

 Perl SOAP::Lite - SOAP Server-Client Communication Module

 Perl Socket Test Program for HTTP and SOAP

 Perl SOAP::Lite for GetSpeech SOAP 1.1 Web Service

 Perl SOAP::Lite 0.710 for SOAP 1.2 Web Services

 Perl SOAP::Lite 0.710 for WSDL

 PHP SOAP Extension Client Programs

 PHP SOAP Extension Server Programs

 Java Socket and HttpURLConnection for SOAP

 SAAJ - SOAP with Attachments API for Java

 SoapUI - SOAP Web Service Testing Tool

WS-Security - SOAP Message Security Extension

 What Is WS-Security (WSS)?

 Using XML Signature and Encryption with WSS

 SOAP Header Element "Security"

 What Is WS-Security Username Token Profile?

 SoapUI Configuration for Username Token

 Generating Username Token with SoapUI

 Validating wsse:Password Digest String

Password Digest Validation Program

 WS-Security X.509 Certificate Token

 Web Services and SOAP Terminology

 References

 PDF Printing Version