Category Archives: Java

How to generate X-WSSE Token using Java

Learn how to generate X-WSSE Token and how to authorize requests using X-WSSE header authentication.

If you’re not familiar with X-WSSE Token Authentication and why you should use it, go ahead and read this article that contains the basics of this type of authentication.

In this article I’ll describe how to generate a X-WSSE Token using Java.

import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Random;
import java.util.TimeZone;
import javax.xml.bind.DatatypeConverter;
public class xwsse {
    final protected static char[] hexArray = "0123456789abcdef".toCharArray();
    public static void main(String[] args) {
        String xwsse = getWsseHeader("CLIENT_ID", "CLIENT_SECRET");
    private static String getWsseHeader(String username, String secret) {
        String nonce = getNonce();
        String created = getUTCTimestamp();
        String digest = getPasswordDigest(nonce, created, secret);
        return String.format("UsernameToken Username=\"%s\", PasswordDigest=\"%s\", " + "Nonce=\"%s\", Created=\"%s\"", username, digest, nonce, created);
    private static String getUTCTimestamp() {
        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssZ");
        return sdf.format(new Date());
    private static String getNonce() {
        byte[] nonceBytes = new byte[16];
        new Random().nextBytes(nonceBytes);
        return bytesToHex(nonceBytes);
    private static String getPasswordDigest(String nonce, String created, String secret) {
        String digest = "";
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            String hashedString = String.format("%s%s%s", nonce, created, secret);
            String sha256Sum = bytesToHex(messageDigest.digest());
            digest = DatatypeConverter.printBase64Binary(sha256Sum.getBytes("UTF-8"));
        } catch(NoSuchAlgorithmException ex) {
            System.out.println("No SHA-256 algorithm found");
        } catch(UnsupportedEncodingException ex) {
            System.out.println("Unable to use UTF-8 encoding");
        return digest;
    private static String bytesToHex(byte[] bytes) {
        char[] hexChars = new char[bytes.length*2];
        for(int j=0; j<bytes.length; j++) {
            int v = bytes[j] & 0xFF;
            hexChars[j*2] = hexArray[v >>> 4];
            hexChars[j*2+1] = hexArray[v & 0x0F];
        return new String(hexChars);

That’s it. Check my other X-WSSE Articles and learn how to generate the token using other programming languages.

What is X-WSSE Token Authentication and how does it work

Learn the basics of X-WSSE Token Authentication and how to authorize requests using X-WSSE header authentication.

X-WSSE Token Authentication can be used to authenticate backend-to-backend integrations using client_id and client_secret properties. The main benefit of this type of authentication is that the client_secret value never leaves the backend of the integrating client, and that each token, even if lost, is only valid for 5 minutes.

The X-WSSE Token is a string with the following format, usually a single HTTP header line which is broke down into multiple lines for easier readability:

X-WSSE: UsernameToken
Username="USERNAME",PasswordDigest="ASDFbasEHAPRo395MBANgoaiERJGJHSOSLGUsernameToken Username="68037425-fa69-49da-8715-fa393dc55471", PasswordDigest="OWRkZGRjMjk3ZjhiOGFhZmMzNGIzMjAwMWIyNmNjY2JkMTM2M2E5OGFlMGM2ZDI3OGIzZmQ5ZDAwY2RiODMzZg==", Nonce="ee2e8c783398782fd63af15141a1cb62", Created="2019-03-14T16:17:24.211Z"==",Nonce="b35f7341829e35d89851497a82894f",Created="2019-03-20T12:10:20Z"

I’ll briefly describe each component of the X-WSSE Token:


The name of the HTTP header that must be present in order to authorize the request.


Value represents the authentication method of the use X-WSSE Token. Currently X-WSSE only supports UsernameToken type of authentication.


The client_id property that you should generate for each integration of X-WSSE Token.


Field specifies the hashed token that will authorize the reuqest. For each request a new hash must be generated. Check my other posts and learn how to generate the X-WSSE Token using different server-side programming languages

Computing the Password Digest

Computing the password digest involves 5 simple steps:

  1. Generate random 16 byte Nonce formatted as 32 hexadecimal characters.
  2. Retrieve the current timestamp in ISO8601 format.
  3. The properties nonce, timestamp, secret should be concatenated in this order.
  4. Compute the SHA256 hash value of the string from #3 and convert it to hexadecimal format
  5. Encode the value from #5 in BASE64 and obtain the PasswordDigest


Random value with the purpose to make your request unique so it cannot be replicated by unknown parties. This string is always 16 bytes long and should be represented as a 32 characters long hexadecimal value.


This field contains the current UTC, GMT, ZULU timestamp (YYYY-MM-DDTHH:MM:SS) according to the ISO8601 format. e.g. 2018-05-20T12:51:45+01:00

Now you know what is a X-WSSE Token and the purpose of each of its components so let’s go to the Implementation. Check my other X-WSSE articles and learn more.