Using WSSecurity Username Token Profile

788 views
Skip to first unread message

Giovanni Mori

unread,
Apr 24, 2013, 11:15:21 AM4/24/13
to sav...@googlegroups.com
I had to call the web services exposed by CMDBuild - http://www.cmdbuild.org/en
These WS are protected using WS Security Username Token Profile 1.0 with password digest, as defined here: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf
I wrote this:
  client = Savon.client do
    wsse_auth("cmdt", "mypass", :digest)
    wsse_timestamp(true)
    wsdl("http://chef11-node3:8080/cmdbuild/services/soap/Webservices?wsdl")
  end
but I received a Soap Authentication error:
<soap:Fault>
    <faultcode xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        ns1:FailedAuthentication</faultcode>
    <faultstring>The security token could not be authenticated or authorized</faultstring>
</soap:Fault>


Comparing Soap envelope generated by Savon with the one obtained from SoapUI (which succeded in calling the ws), I found some differences:
SaopUI:
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
            ci6Sr5b4TXfE0xY78c7lvSJN8LI=</wsse:Password>
        <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
            m4yUYN7DNDziMu75D88RFQ==</wsse:Nonce>
Savon:
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
            NGZhODMxOTkzOGZiYjU2Yzc5NGQyNzEwMzMwMDdlNTgxM2U1MDVmZA==</wsse:Password>
        <wsse:Nonce>a350c2750179bf82a44648e4d9707ab73d688812</wsse:Nonce>

So I made some changes at the file wsse.rb (in the akami library):
[root@chef11-workstation akami]# diff wsse.rb.old wsse.rb
73c73
<       created_at || expires_at || @wsu_timestamp
---
>       false
116c116
<           "wsse:Nonce" => nonce,
---
>           "wsse:Nonce" => Base64.encode64(nonce).chomp!,
172c172
<       Base64.encode64(Digest::SHA1.hexdigest(token)).chomp!
---
>       Base64.encode64(Digest::SHA1.digest(token)).chomp!
177c177
<       @nonce ||= Digest::SHA1.hexdigest random_string + timestamp
---
>       @nonce ||= Digest::SHA1.digest random_string + timestamp


With these changes, now I'm able to call all the WS.
What do you think about ? Had anyone the same problems?

Regards,
Giovanni

zero...@gmail.com

unread,
Jan 22, 2014, 10:42:26 AM1/22/14
to sav...@googlegroups.com
Yes, I had the same issue and this solved it for me.

Thank you for the solution!

zero...@gmail.com

unread,
Feb 24, 2014, 9:30:48 AM2/24/14
to sav...@googlegroups.com, zero...@gmail.com
I want to point out that the latest update to Akami seems to have most of these changes now.
Reply all
Reply to author
Forward
0 new messages