Phillip Pearson - web + electronics notes

tech notes and web hackery from a new zealander who was vaguely useful on the web back in 2002 (see: python community server, the blogging ecosystem, the new zealand coffee review, the internet topic exchange).

2006-5-19

WSSE implementations or test rigs?

I'm trying to get WSSE authentication to work with the 43things API, only I'm screwing something up and all I get back is a "200 OK" header and an empty response.

Are there any sites that actually support Atom-style X-WSSE authentication except 43things? The AtomPubTesting page doesn't show any, and Blogger's Atom endpoint just tells me I'm sorry, we only support BASIC Authentication over SSL. Mark's XML.com article is two and a half years old now, but still I can't find any mention of (or link to any mention of) WSSE in the latest Atom-Pub draft. Come on guys, wasn't Atom meant to be better-documented than RSS and the metaWeblog API?

Aha - finally figured out that Movable Type supports the Atom API. Not sure how a client is meant to figure that out, though - the only mention of editing is the <link rel="EditURI"> element, which points to an RSD file that only mentions the metaWeblog and Blogger-v1 endpoints. Then when you go to mt-atom.cgi, it just says "1" until you figure out that the endpoint is actually mt-atom.cgi/weblog/. But now - finally I see a WWW-Authenticate: WSSE profile="UsernameToken" header - so I can get on to my testing!

Update: Clock skew will be an issue with WSSE; is there an accepted way for a client to sync time with a server?

Note: MT's WSSE implementation differs from that in Mark's XML.com article; in MT, the Nonce parameter is expected to be encoded with base64.

Update 2: I now have my code generating X-WSSE headers that MT is accepting as valid. Still no luck with 43things, though.

... more like this: []