Forum Discussion

glapsvin's avatar
glapsvin
New Contributor
9 years ago

Mtom enable + signiture = problem

Hi ,

I have an mtom web service (data plus attachment).

WhenI sign the request  ( with Mtom NOT enabled) with sha1 certificate certificate works (ws fails later due to attachment not being mtom). When I enable Mtom I get the following error ( from Layer7 appliance):  Request WSS processing failed: Signature not valid. null
    Element #id-FF416124706A221E28145381632108039: Digest value mismatch: calculated: CcL4c1qcfzYWTyQipfSLlSVZ0sw=

 

Again all non MTOM webservices work and this one works till Mtom enabled = true is set.

 

All help or ideas greatly appreciated ( tested with same results in soapui 5.00 and 5.2.1 as well as newest paid version)

 

Sincerely,

 

Help? Ideas?

  • varias's avatar
    varias
    New Contributor

    I think I found a solution (or work-around); I noticed that the request is changing slightly once it leaves SOAP UI:

     

    For example the original request may have a field like <payload>cid:147612301643</payload>

     

    But after if gets signed it then changes to <payload><inc:Include href="cid:147612301643" xmlns:inc="http://www.w3.org/2004/08/xop/include"/></payload> which fails any hash check on a request since the signed message has been modified.

     

    But if you replace the original entry in SOAP UI with the later (from the above examples), the message gets signed as is and passes the hash validation on the target server.

     

    Hope this helps,

     

    V

     

     

    • grb123's avatar
      grb123
      New Contributor

      Yes this helps a Great Deal !  Thanks, this solution works, I find I have to attach the file using the original WSDL format

      example first in order to set the Attachment Part to the generated partnumber (in example below) 147612301643 here:

      <payload>cid:147612301643</payload>

      Then once the file is attached, change this line in the request message to the following format (your example correct as is :)

      <payload><inc:Include href="cid:147612301643" xmlns:inc="http://www.w3.org/2004/08/xop/include"/></payload>

       

      DataPower then does then successfully verify the signed message/attachment - Presumably the problem we're fixing is a minor bug in SOAPUI signing-MTOM-attachments, which needs to be addressed in a future release.

       

      Many thanks for your speedy reply...

       

      Regards Gavin Bayfield

      • grb123's avatar
        grb123
        New Contributor

        Still confused around whether the SOAUP MTOM Client we have 'working' is ACTUALLY Signing the Attachment Or Not ?

        On the Server side, we're successfully Verifying the SOAP WSSEC Digital Signature passed in, but suspect the Enclosed Attachment is NOT part of the SOAPUI-Generated Signature- in other words, SOAPUI is/can ONLY in effect sign the Body (so the XML Infoset being processed does not include a Base64Binary component representing the attachment) ??

         

        Can SmartBear pls clarify the Signing Attachment Capabilities for MTOM Support in SOUPUI please ??

         

        Regards Gavin Bayfield

  • varias's avatar
    varias
    New Contributor

    Hi,

     

    I have pretty much the same issue. I have an MTOM (enabled) attachment in a request where I am using a signiture as authentication.

     

    I get an error of "hash values do not match" on the server I am connecting to which means that the request was altered after the request was digitally signed.

     

    I think SOAP UI is signing the request and then altering the request in some way when setting up the request with the MTOM attachment.

     

    This error does not occur when the attachment is imbeded into the request. Only when the attchament is MTOM enabled and the request digitally signed.

     

    Hopefully there is a solution or some setting I am missing.

     

    Thanks,

     

    V

     

     

    • grb123's avatar
      grb123
      New Contributor

      Hi I too have in essence the same problem - I can confirm SOAPUI does succesfully sign the SOAP Message Body and DataPower can Verify this message np - however for a MTOM Service setup in SOAPUI this same SOAPUI Digital Signing ONLY works if there is actually NO Attachment included in request message - When MTOM attachment (multipart message_ fails as Hash Values differ ! I suspect this is because SOAPUI is NOT actually Signing the Attachment Part >? Can SmartBear confirm this please ?

       

      Does the Professional Version work in this Scenario  ? Please Advise ?

       

      Thanks & Regards Gavin Bayfield