JGodfrey
New Contributor
Joined 13 years ago
User Profile
User Widgets
Contributions
WS Security UsernameToken– PasswordDigestExt and Base64
Hi all, The password digest of the UsernameToken when using the SOAPUI PasswordDigestExt has an extra base64 encoding when compared to the OASIS standard. See line 174 of the OASIS UsernameToken: https://www.oasis-open.org/committees/d ... rofile.pdf “Password_Digest = Base64 ( SHA-1 (nonce + created + password ) )” Where as SOAPUI PasswordDigestExt is Password_Digest = Base64 ( SHA-1 (nonce + created + Base64(SHA1(password)) ) See line 80: https://github.com/SmartBear/soapui/blo ... Entry.java “password = Base64.encode( sha.digest() );” This means that Web Services that implement WS-Security as per the OASIS standard will error with SOAPUI version of the PasswordDigestExt as it’s not expecting the SHA1(password) to be Base64 encoded. Regards, John6.6KViews1like7CommentsWS Security doc and source code differ - SHA1 / MD5
Hi all, In the WS Security documentation http://www.soapui.org/SOAP-and-WSDL/app ... urity.html there is "Password Type: This specifies how the password should be serialized. The PasswordDigestExt option is non-standard and should only be used for interop issues where the message receiver desires an extra MD5 Hash of the password." However in the source code (version 4.6.1) there is in line 80 "password = Base64.encode( sha.digest() );" https://github.com/SmartBear/soapui/blo ... Entry.java Regards, John1.5KViews0likes2Comments