A regression in SoapUI 4.5.1 due to the upgrade to wss4j-1.6.2 blocks us from upgrading to the latest version. Since SoapUI 4.5.1 it is not possible to sign the wsse:BinarySecurityToken.A part referencing {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken generates an error **Element to encrypt/sign not found**. In SoapUI 4.0.1/wss4j-1.5.x, there was a workaround to add a part named 'Token' (no namespace) which was resolved to the BinarySecurityToken by wss4j. This is not the case in 1.6.2 anymore.The implementation of the Signature step should add all tokens to the SOAP header before hashing the signature parts. This is not the case in SoapUI. Another solution would be to add a WSS Entry BinarySecurityToken (cfr the Username entry) to specify the token before the Signature entry.Signing the security token is a best practice for avoid token substitution as described in the OASIS specification:http://docs.oasis-open.org/wss-m/wss/v1 ... c307416645The issue was reported in July 2009, but the workaround given is not acceptable as it generates double signatures.viewtopic.php?t=2086The issue was also reported on the Communicaty Board in July 2012, but no response was given to this post.viewtopic.php?f=13&t=14296&hilit=tokenPlease provide a solution to this problem.

Can you please confirm this regression and provide a solution or fix date? Thank you.

Hi!We've verified that this is a bug and have registered an issue for it in our bug tracker (SOAPUI-4586).Also we've verified that the 'Token' workaround suggested doen't work in the SoapUI Pro 4.5.1We'll let you know as soon as we have more information about this.Sorry for the inconvenience.-- RegardsErikSmartBear Sweden

Can you please provide an update for SOAPUI-4586. We didn't see this issuer resolved in SoapUI 4.5.2 and 4.6.1.

Hi!I'm sorry to here that you are still struggling with this. Unfortunately this bug is still open, but I've notified our product owner about this.-- RegardsErikSmartBear Sweden

Can you provide us an update please? This is a blocking issue for us and we're stuck on version 4.0.1.

SoapUI 4.5.1 does now allow to sign BinarySecurityToken

12 Replies

Richard_Garcia
Occasional Contributor
12 years ago
Can you please confirm this regression and provide a solution or fix date? Thank you.
SmartBear_Suppo
SmartBear Alumni (Retired)
12 years ago
Hi!

We've verified that this is a bug and have registered an issue for it in our bug tracker (SOAPUI-4586).

Also we've verified that the 'Token' workaround suggested doen't work in the SoapUI Pro 4.5.1

We'll let you know as soon as we have more information about this.

Sorry for the inconvenience.

--
Regards

Erik
SmartBear Sweden
Richard_Garcia
Occasional Contributor
11 years ago
Can you please provide an update for SOAPUI-4586. We didn't see this issuer resolved in SoapUI 4.5.2 and 4.6.1.
SmartBear_Suppo
SmartBear Alumni (Retired)
11 years ago
Hi!

I'm sorry to here that you are still struggling with this. Unfortunately this bug is still open, but I've notified our product owner about this.

--
Regards

Erik
SmartBear Sweden
Richard_Garcia
Occasional Contributor
11 years ago
Can you provide us an update please? This is a blocking issue for us and we're stuck on version 4.0.1.
SmartBear_Suppo
SmartBear Alumni (Retired)
11 years ago
Hi,

This bug was prioritized for 4.6.3 release by the Product owner, but for some reason it did not make it. But it is still a top priority. Unfortunately, I can't make a definitive promise but hopefully it will be fixed in the next release.

Regards,
Shadid
SmartBear Sweden
Richard_Garcia
Occasional Contributor
11 years ago
4.6.4 didn't fix SOAPUI-4586 either. This is unfortunate as a working solution has been posted 2 years ago on this forum
viewtopic.php?f=13&t=14296&hilit=token

If we deliver a pull request for this issue, would it facilitate the release of the fix?
SmartBear_Suppo
SmartBear Alumni (Retired)
11 years ago
Hi!

Thanks for the walk around.
I will remind our product owner about this issue again.
Yes, a proper pull request will most likely increase your chances of getting it into the next release.

--
Regards

Erik
SmartBear Sweden
Richard_Garcia
Occasional Contributor
11 years ago
Which branch should I choose? Maintenance? The master branch is already 5.0.0. I don't see a release-4.6.5 created yet.
Richard_Garcia
Occasional Contributor
11 years ago
Pull request provided for master branch (4.6.4)
https://github.com/SmartBear/soapui/pull/34

Forum Discussion

SoapUI 4.5.1 does now allow to sign BinarySecurityToken

12 Replies

Related Content

SoapUI 5.7 & 5.6 MacOS Installer and multiple libprism warnings: "will damage your computer"

SoapUi Groovy conditional property transfer

Does SoapUI 5.6.0 has log4j vulnerability?

SoapUI 5.6.0 upgrade keeps JRE 8 : java.lang.UnsupportedClassVersionError

SoapUI 5.5.0 Log4j vulnerability

Recent Discussions

How to hit update service multiple time with different data set.

How do I prevent a file path from being altered when being parsed by JsonSlurper in Groovy Script?

Darshan Hiranandani : Exploring ReadyAPI Integration with Azure Git

Multipart requests getting blocked by the Azure WAF 200003

Parameterising JDBC Connection Settings..Can you do it?