JGodfrey
11 years agoNew Contributor
WS Security UsernameToken– PasswordDigestExt and Base64
Hi all,
The password digest of the UsernameToken when using the SOAPUI PasswordDigestExt has an extra base64 encoding when compared to the OASIS standard.
See line 174 of the OASIS UsernameToken:
https://www.oasis-open.org/committees/d ... rofile.pdf
“Password_Digest = Base64 ( SHA-1 (nonce + created + password ) )”
Where as SOAPUI PasswordDigestExt is
Password_Digest = Base64 ( SHA-1 (nonce + created + Base64(SHA1(password)) )
See line 80:
https://github.com/SmartBear/soapui/blo ... Entry.java
“password = Base64.encode( sha.digest() );”
This means that Web Services that implement WS-Security as per the OASIS standard will error with SOAPUI version of the PasswordDigestExt as it’s not expecting the SHA1(password) to be Base64 encoded.
Regards,
John
The password digest of the UsernameToken when using the SOAPUI PasswordDigestExt has an extra base64 encoding when compared to the OASIS standard.
See line 174 of the OASIS UsernameToken:
https://www.oasis-open.org/committees/d ... rofile.pdf
“Password_Digest = Base64 ( SHA-1 (nonce + created + password ) )”
Where as SOAPUI PasswordDigestExt is
Password_Digest = Base64 ( SHA-1 (nonce + created + Base64(SHA1(password)) )
See line 80:
https://github.com/SmartBear/soapui/blo ... Entry.java
“password = Base64.encode( sha.digest() );”
This means that Web Services that implement WS-Security as per the OASIS standard will error with SOAPUI version of the PasswordDigestExt as it’s not expecting the SHA1(password) to be Base64 encoded.
Regards,
John