Forum Discussion

Richard_Garcia's avatar
Richard_Garcia
Occasional Contributor
12 years ago

SoapUI 4.5.1 does now allow to sign BinarySecurityToken

A regression in SoapUI 4.5.1 due to the upgrade to wss4j-1.6.2 blocks us from upgrading to the latest version. Since SoapUI 4.5.1 it is not possible to sign the wsse:BinarySecurityToken.

A part referencing {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken generates an error **Element to encrypt/sign not found**. In SoapUI 4.0.1/wss4j-1.5.x, there was a workaround to add a part named 'Token' (no namespace) which was resolved to the BinarySecurityToken by wss4j. This is not the case in 1.6.2 anymore.

The implementation of the Signature step should add all tokens to the SOAP header before hashing the signature parts. This is not the case in SoapUI. Another solution would be to add a WSS Entry BinarySecurityToken (cfr the Username entry) to specify the token before the Signature entry.

Signing the security token is a best practice for avoid token substitution as described in the OASIS specification:
http://docs.oasis-open.org/wss-m/wss/v1 ... c307416645

The issue was reported in July 2009, but the workaround given is not acceptable as it generates double signatures.
viewtopic.php?t=2086

The issue was also reported on the Communicaty Board in July 2012, but no response was given to this post.
viewtopic.php?f=13&t=14296&hilit=token

Please provide a solution to this problem.
  • Richard_Garcia's avatar
    Richard_Garcia
    Occasional Contributor
    12 years ago
    Can you please confirm this regression and provide a solution or fix date? Thank you.
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    12 years ago
    Hi!

    We've verified that this is a bug and have registered an issue for it in our bug tracker (SOAPUI-4586).

    Also we've verified that the 'Token' workaround suggested doen't work in the SoapUI Pro 4.5.1

    We'll let you know as soon as we have more information about this.

    Sorry for the inconvenience.

    --
    Regards

    Erik
    SmartBear Sweden
  • Richard_Garcia's avatar
    Richard_Garcia
    Occasional Contributor
    11 years ago
    Can you please provide an update for SOAPUI-4586. We didn't see this issuer resolved in SoapUI 4.5.2 and 4.6.1.
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    11 years ago
    Hi!

    I'm sorry to here that you are still struggling with this. Unfortunately this bug is still open, but I've notified our product owner about this.


    --
    Regards

    Erik
    SmartBear Sweden
  • Richard_Garcia's avatar
    Richard_Garcia
    Occasional Contributor
    11 years ago
    Can you provide us an update please? This is a blocking issue for us and we're stuck on version 4.0.1.
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    11 years ago
    Hi,

    This bug was prioritized for 4.6.3 release by the Product owner, but for some reason it did not make it. But it is still a top priority. Unfortunately, I can't make a definitive promise but hopefully it will be fixed in the next release.

    Regards,
    Shadid
    SmartBear Sweden
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    11 years ago
    Hi!

    Thanks for the walk around.
    I will remind our product owner about this issue again.
    Yes, a proper pull request will most likely increase your chances of getting it into the next release.

    --
    Regards

    Erik
    SmartBear Sweden
  • Richard_Garcia's avatar
    Richard_Garcia
    Occasional Contributor
    11 years ago
    Which branch should I choose? Maintenance? The master branch is already 5.0.0. I don't see a release-4.6.5 created yet.