Hi ,I have an mtom web service (data plus attachment).WhenI sign the request ( with Mtom NOT enabled) with sha1 certificate certificate works (ws fails later due to attachment not being mtom). When I enable Mtom I get the following error ( from Layer7 appliance): Request WSS processing failed: Signature not valid. null Element #id-FF416124706A221E28145381632108039: Digest value mismatch: calculated: CcL4c1qcfzYWTyQipfSLlSVZ0sw= Again all non MTOM webservices work and this one works till Mtom enabled = true is set. All help or ideas greatly appreciated ( tested with same results in soapui 5.00 and 5.2.1 as well as newest paid version) Sincerely, Help? Ideas?

I think I found a solution (or work-around); I noticed that the request is changing slightly once it leaves SOAP UI: For example the original request may have a field like <payload>cid:147612301643</payload> But after if gets signed it then changes to <payload><inc:Include href="cid:147612301643" xmlns:inc="http://www.w3.org/2004/08/xop/include"/></payload> which fails any hash check on a request since the signed message has been modified. But if you replace the original entry in SOAP UI with the later (from the above examples), the message gets signed as is and passes the hash validation on the target server. Hope this helps, V

Yes this helps a Great Deal ! Thanks, this solution works, I find I have to attach the file using the original WSDL formatexample first in order to set the Attachment Part to the generated partnumber (in example below) 147612301643 here:<payload>cid:147612301643</payload>Then once the file is attached, change this line in the request message to the following format (your example correct as is :)<payload><inc:Include href="cid:147612301643" xmlns:inc="http://www.w3.org/2004/08/xop/include"/></payload> DataPower then does then successfully verify the signed message/attachment - Presumably the problem we're fixing is a minor bug in SOAPUI signing-MTOM-attachments, which needs to be addressed in a future release. Many thanks for your speedy reply... Regards Gavin Bayfield

Hi all, from what I can see in the code you are correct with the assessment that SoapUI does that signing before it modifies the message for MTOM (i.e. moves the binary content to a separate multipart) - which makes the signature invalid. Perhaps SoapUI should perform the MTOM processing before signing the request - although that would result in the MTOM multipart not being signed itself. I'm not sure what the actual rules for MTOM/WSS are; could it be that the server should first "inline" the MTOM attachment before validating the signature (which it doesn't seem to be doing)? I'll dig around a little more online... /Ole

Hi, I have pretty much the same issue. I have an MTOM (enabled) attachment in a request where I am using a signiture as authentication. I get an error of "hash values do not match" on the server I am connecting to which means that the request was altered after the request was digitally signed. I think SOAP UI is signing the request and then altering the request in some way when setting up the request with the MTOM attachment. This error does not occur when the attachment is imbeded into the request. Only when the attchament is MTOM enabled and the request digitally signed. Hopefully there is a solution or some setting I am missing. Thanks, V

Hi I too have in essence the same problem - I can confirm SOAPUI does succesfully sign the SOAP Message Body and DataPower can Verify this message np - however for a MTOM Service setup in SOAPUI this same SOAPUI Digital Signing ONLY works if there is actually NO Attachment included in request message - When MTOM attachment (multipart message_ fails as Hash Values differ ! I suspect this is because SOAPUI is NOT actually Signing the Attachment Part >? Can SmartBear confirm this please ? Does the Professional Version work in this Scenario ? Please Advise ? Thanks & Regards Gavin Bayfield

Mtom enable + signiture = problem

6 Replies

varias
New Contributor
9 years ago
I think I found a solution (or work-around); I noticed that the request is changing slightly once it leaves SOAP UI:

For example the original request may have a field like <payload>cid:147612301643</payload>

But after if gets signed it then changes to <payload><inc:Include href="cid:147612301643" xmlns:inc="http://www.w3.org/2004/08/xop/include"/></payload> which fails any hash check on a request since the signed message has been modified.

But if you replace the original entry in SOAP UI with the later (from the above examples), the message gets signed as is and passes the hash validation on the target server.

Hope this helps,

V
- grb123
  New Contributor
  9 years ago
  Yes this helps a Great Deal ! Thanks, this solution works, I find I have to attach the file using the original WSDL format
  example first in order to set the Attachment Part to the generated partnumber (in example below) 147612301643 here:
  <payload>cid:147612301643</payload>
  Then once the file is attached, change this line in the request message to the following format (your example correct as is :)
  <payload><inc:Include href="cid:147612301643" xmlns:inc="http://www.w3.org/2004/08/xop/include"/></payload>
  
  DataPower then does then successfully verify the signed message/attachment - Presumably the problem we're fixing is a minor bug in SOAPUI signing-MTOM-attachments, which needs to be addressed in a future release.
  
  Many thanks for your speedy reply...
  
  Regards Gavin Bayfield
  - grb123
    New Contributor
    9 years ago
    Still confused around whether the SOAUP MTOM Client we have 'working' is ACTUALLY Signing the Attachment Or Not ?
    On the Server side, we're successfully Verifying the SOAP WSSEC Digital Signature passed in, but suspect the Enclosed Attachment is NOT part of the SOAPUI-Generated Signature- in other words, SOAPUI is/can ONLY in effect sign the Body (so the XML Infoset being processed does not include a Base64Binary component representing the attachment) ??
    
    Can SmartBear pls clarify the Signing Attachment Capabilities for MTOM Support in SOUPUI please ??
    
    Regards Gavin Bayfield
varias
New Contributor
9 years ago
Hi,

I have pretty much the same issue. I have an MTOM (enabled) attachment in a request where I am using a signiture as authentication.

I get an error of "hash values do not match" on the server I am connecting to which means that the request was altered after the request was digitally signed.

I think SOAP UI is signing the request and then altering the request in some way when setting up the request with the MTOM attachment.

This error does not occur when the attachment is imbeded into the request. Only when the attchament is MTOM enabled and the request digitally signed.

Hopefully there is a solution or some setting I am missing.

Thanks,

V
- grb123
  New Contributor
  9 years ago
  Hi I too have in essence the same problem - I can confirm SOAPUI does succesfully sign the SOAP Message Body and DataPower can Verify this message np - however for a MTOM Service setup in SOAPUI this same SOAPUI Digital Signing ONLY works if there is actually NO Attachment included in request message - When MTOM attachment (multipart message_ fails as Hash Values differ ! I suspect this is because SOAPUI is NOT actually Signing the Attachment Part >? Can SmartBear confirm this please ?
  
  Does the Professional Version work in this Scenario ? Please Advise ?
  
  Thanks & Regards Gavin Bayfield

Forum Discussion

Mtom enable + signiture = problem

6 Replies

Related Content

Mtom enable + signiture = problem

Problems with refresh OAuth2 token

Problem with ToUrl() function

Firefox buttons problem.

ReadyAPI GUI problem

Recent Discussions

Gradle publish not working suddenly from today.

Encrypt passwords and master password?

SOAPUI - Proxy_vole dll running from User Profile

When You need MyBalanceNow?

Why Saraf Furniture is the best Choice for Wooden Furniture? Saraf Furniture Reviews