Authorization: Basic vs Set-Cookie: LtpaToken2
I'm posting this in the community forum as we are currently running a trial license of SoapUI Pro and have no SopaUI Pro user account yet ...
Appreciate any feedback/comments.
Web have a series of webservices running on WAS, for which we have a simple test suite, and are in the process of upgrading to SoapUI Pro, when we noticed this behaviour:
It seems SoapUI ignores the LtpaToken cookie returned by our WAS server and the Authorization: Basic http header is always sent. This is actually what we want as subsequent services need different credentials, and we need to change the username/password.
However, SoapUI Pro does accept this cookie, and subsequently sends it, ignoring the Authorization: Basic http header.
Example below with SoapUI Pro, with sensitive data x-ed out, as intercepted with Axis2 tcp monitor:
1. Service invocation with basic authentication but wrong password, response is, as expected:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Default Realm"
Content-Language: en-US
Content-Length: 0
Connection: Close
Date: Thu, 14 Jun 2012 06:57:08 GMT
Server: WebSphere Application Server/6.1
2. Service invocation with basic authentication logon with correct password, the request contains
POST /GatewayWeb/services/Gateway HTTP/1.1
Connection: close
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 1158
Host: 172.20.2.54:666
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Authorization: Basic XXXXXXXXXXXXXX
With the response containing:
Set-Cookie: LtpaToken2=xxxxxxxxxxx
Set-Cookie: LtpaToken=xxxxxxxxxxxxx
3. Service invocation with basic authentication logon still correct , the request now contains
POST /GatewayWeb/services/Gateway HTTP/1.1
Connection: close
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 1158
Host: 172.20.2.54:666
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Cookie: LtpaToken=XXXXXXXXXXX
Repeat this with SoapUI and we see (in step 3) the cookie is never send, always the basic auth header.
Is there a config that tells SoapUI not to accept cookies, or clena out cookies in the request?
Appreciate any feedback/comments.
Web have a series of webservices running on WAS, for which we have a simple test suite, and are in the process of upgrading to SoapUI Pro, when we noticed this behaviour:
It seems SoapUI ignores the LtpaToken cookie returned by our WAS server and the Authorization: Basic http header is always sent. This is actually what we want as subsequent services need different credentials, and we need to change the username/password.
However, SoapUI Pro does accept this cookie, and subsequently sends it, ignoring the Authorization: Basic http header.
Example below with SoapUI Pro, with sensitive data x-ed out, as intercepted with Axis2 tcp monitor:
1. Service invocation with basic authentication but wrong password, response is, as expected:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Default Realm"
Content-Language: en-US
Content-Length: 0
Connection: Close
Date: Thu, 14 Jun 2012 06:57:08 GMT
Server: WebSphere Application Server/6.1
2. Service invocation with basic authentication logon with correct password, the request contains
POST /GatewayWeb/services/Gateway HTTP/1.1
Connection: close
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 1158
Host: 172.20.2.54:666
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Authorization: Basic XXXXXXXXXXXXXX
With the response containing:
Set-Cookie: LtpaToken2=xxxxxxxxxxx
Set-Cookie: LtpaToken=xxxxxxxxxxxxx
3. Service invocation with basic authentication logon still correct , the request now contains
POST /GatewayWeb/services/Gateway HTTP/1.1
Connection: close
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 1158
Host: 172.20.2.54:666
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Cookie: LtpaToken=XXXXXXXXXXX
Repeat this with SoapUI and we see (in step 3) the cookie is never send, always the basic auth header.
Is there a config that tells SoapUI not to accept cookies, or clena out cookies in the request?
