question

Upvotes
Accepted
oliver.sherlock avatar image
1 1 1 2

Nonce causing invalid username token

The application I am integrating the webservice into generates a wsse security header containing a ‘Nonce’ attribute. As far as I’m aware, this is a standard element of wsse security.

It appears that the API refuses requests that contain Nonce in the UsernameToken. In order to work around this, I would have to create and implement a custom WSE policy assertion. This is not an issue in SOAP UI as one can fully customize the SOAP envelope, however I imagine this is quite restrictive for users attempting API integration in their applications.

Is there something you can do your side to prevent the webservice from rejecting requests with a superfluous nonce element?

Regards,

Oliver

world-checkscreeningauthenticationscreening-apitokensoap-api
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

4 Answers

Upvotes
Accepted
oliver.sherlock avatar image
1 1 1 2

I have taken matters into my own hands and gone the custom policy assertion route.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
kamil.cisewski avatar image
526 2 2 3

Hello @oliver.sherlock,

could you provide the HTTP data for your request and the XML that you are trying to create?

Best Regards

Kamil

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
oliver.sherlock avatar image
1 1 1 2

Hi Kamil, Sure.

XML REQUEST:

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><soap:Header><wsa:Action></wsa:Action><wsa:MessageID>urn:uuid:f707583f-5b4e-4dda-a2e9-abd673faf2d7</wsa:MessageID><wsa:ReplyTo><wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address></wsa:ReplyTo><wsa:To>https://screeningpilot.accelus.com/pilot-v1/screener</wsa:To><wsse:Security soap:mustUnderstand="1"><wsu:Timestamp wsu:Id="Timestamp-eb600678-920a-4e4d-aa3e-77a6a636e4e2"><wsu:Created>2017-06-21T08:05:19Z</wsu:Created><wsu:Expires>2017-06-21T08:10:19Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-19"><wsse:Username>gazprom.api@gazprom-energy.com</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">accelus</wsse:Password><wsse:Nonce>Rr/9Oda3S6HYccRBPhzDeA==</wsse:Nonce><wsu:Created>2017-06-21T08:05:19Z</wsu:Created></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><screen xmlns="http://screening.complinet.com/"><screenRequest xmlns=""><assigneeIdentifier>cnu_so_257</assigneeIdentifier><customId1>?</customId1><customId2>?</customId2><groupIdentifier>cng_so_177</groupIdentifier><name>Test</name><nameType>VESSEL</nameType></screenRequest></screen></soap:Body></soap:Envelope>


XML RESPONSE:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:InvalidSecurityToken</faultcode><faultstring>An invalid security token was provided (An error happened processing a Username Token)</faultstring></soap:Fault></soap:Body></soap:Envelope>

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
oliver.sherlock avatar image
1 1 1 2

Worth noting that using SOAP UI I replicated the XML request but removed the nonce token, resulting in a successful response.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.