Spring WS digest authentication with nonce, create challenge

Question

I am relatively new to SOAP web services, and it seems to be a basic thing, but still, I cannot find the way so solve it. I have a SOAP server written using Spring WS with XWS security. These are the relevant beans:

<bean id="wsSecurityInterceptor" class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
    <property name="policyConfiguration"
            value="classpath:security-policy.xml"/>
    <property name="callbackHandlers">
        <list>
            <ref bean="passwordValidationHandler"/>
        </list>
    </property>
</bean>

<bean id="passwordValidationHandler" class="org.springframework.ws.soap.security.xwss.callback.SimplePasswordValidationCallbackHandler">
    <property name="users">
        <props>
            <prop key="user">*****</prop>
        </props>
    </property>
</bean>

And the following is security-policy.xml:

<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    <xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="true"/>
    <xwss:UsernameToken digestPassword="true" useNonce="true"/>
</xwss:SecurityConfiguration>

The thing is that I want to extablish a digest authentication using nonce (a one-time token that prevents an intercepted request from being sent again). As far as I know (and it is described here http://www.whitemesa.com/soapauth.html#S4), the server should create a challenge (nonce and timestamp, I think) and then the client should encrypt it with its password and timestamp and send it back to the server for verification. And this it should work for every request. Even if the user sends an empty request, the server should provide a challenge. But in my case it does not work. Am I missing something?

Answer 1

As it turned up, it is not necessarily the server who should generate nonce. I generated it on client, concatenated and hashed it according to the rules and then sent to the server. Frankly speaking, I could only find the root of error by debugging Spring WS sources and looking for where exactly an authentication problem is.