Forum Discussion

New Contributor

9 years ago

Retrieve HTTP Digest Data from WWW-Authenticate header in 401 Response from Server

Hi Everyone, I'm trying to build a test case to test HTTP digest authentication. The basic idea is to send an HTTP GET request without Authorization header first and calculate the digest response...

bgafg01-ts_soapui_171027_2.pcap860 KB

Serbija-Telekom-AFG-Test-Project-PA2-soapui-project.xml7 KB

HTTP digest

SoapUI

PaulMS

Super Contributor

9 years ago

Based on some stackoverflow answers a possible solution is splitting the WWW-Authenticate header by comma, then put each key value pair in a map collection.

https://stackoverflow.com/questions/45361721/groovy-digest-authentication

https://stackoverflow.com/questions/1757065/java-splitting-a-comma-separated-string-but-ignoring-commas-in-quotes

See if this groovy script sets the property values that you want.

import org.apache.commons.codec.digest.DigestUtils

def user = "sip:381117508016@ims.telekomsrbija.com";
def pass = "bzlops16";
def request = testRunner.testCase.testSteps["HTTP_Get_FirstHit"].testRequest;
def headerauth = request.response.responseHeaders["WWW-Authenticate"][0];

def values = headerauth.split(',(?=(?:[^\"]*\"[^\"]*\")*[^\"]*$)', 0);
def map = [:];
values.eachWithIndex {it, index ->
	def pair = values[index].tokenize('=')
	map.put(pair[0].trim(), pair[1].trim().replace('"',''))
}

def realm = map["Digest realm"];
def qop = map["qop"];
def nonce = map["nonce"];
def opaque = map["opaque"];

def method = request.getMethod()
def uri = request.getEndpoint();
def response = md5(user, realm, pass, method, uri, nonce);
log.info response

def md5(user, realm, pass, method, String uri, nonce) {
def A1 = DigestUtils.md5Hex ("$user:$realm:$pass")
def A2 = DigestUtils.md5Hex ("$method:$uri")
DigestUtils.md5Hex ("$A1:$nonce:$A2")
}

def init = testRunner.testCase.getTestStepByName( "Properties" );
 init.setPropertyValue( "realm", realm);
 init.setPropertyValue( "nonce", nonce);
 init.setPropertyValue( "opaque", opaque);
 init.setPropertyValue( "response", response);
 init.setPropertyValue( "uri", uri);

asherhancong

New Contributor

9 years ago

Hi Paul,

Thx a lot for your kind and detailed reply. The groovy script your shared is working fine and digest response is successfully calculated.

But when it comes to send the request again with Authorization Header, the server keeps replying 401 with new nonce challenge. the updated project and Wireshark trace are as attached.

bgafg01-ts_soapui_171101_3.pcap367 KB

Serbija-Telekom-AFG-Test-Project-PA5-soapui-project.xml7 KB

PaulMS
Super Contributor
9 years ago
A couple of things to add.

One property value was missing in the groovy script

init.setPropertyValue( "qop", qop);

Close bracket was missing after ${Properties#opaque" in the request Authorization header

The request Raw tab is an easy way to check the header to see if anything is missing

Forum Discussion

Retrieve HTTP Digest Data from WWW-Authenticate header in 401 Response from Server

Recent Discussions

Signature\Encryption tags missing in Security Header

CVE-2024-7565 and CVE-2017-16670 vulnabilities

Vulnerabilities found in SoapUI 5.9.1

Related Content

Retrieving a cookie from response header using Groovy

Digest Authentication with X-WWW-Authenticate

automating OAuth2 token retrieval