Support for UsernameToken - Password Type - No Password

[richman555]

Hi, I have been trying to use jmeter ws-security plugin to digitally sign Body, UsernameToken, and Timestamp of our security headers and our WSS4J SOAP endpoints have UsernameToken securement validation for 'No Password'. This means that the password xml fields cannot be present in the UsernameToken portion of the xml.

For example: -

<wsse:UsernameToken>
                <wsse:Username>${username}</wsse:Username>
</wsse:UsernameToken>

I have verified that this is supported by Spring 4.x and its WSS4J implementation using the following application context configuration.

<bean id="wsSecurityUserNameToken" class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
        <property name="securementActions" value="UsernameToken"/>
        <property name="securementUsername" value="username"/>
        <property name="securementPassword" value=""/>
        <property name="securementPasswordType" value="PasswordNone"/>
        <property name="securementTimeToLive" value="300"/>
        <property name="futureTimeToLive" value="60"/>
</bean>

In LoadRunner configuration we can achieve it using PasswordOptions as SendNone -

web_service_set_security(
SECURITY_TOKEN, "Type=PFX","LogicalName=PFXFileToken1", "FilePath=mykeystore.p12", "FilePassword=C0mpa5","Add=False",
SECURITY_TOKEN, "Type=USERNAME","LogicalName=UsernameToken1", "UserName=username", "Password=Password", "PasswordOptions=SendNone","IsNonceIncluded=False","Add=True",  MESSAGE_SIGNATURE, "UseToken=PFXFileToken1","SignatureOptions=IncludeBody|IncludeTimestamp","TransformAlgorithm=http://www.w3.org/2001/10/xml-exc-c14n#","CanonicalizationAlgorithm=http://www.w3.org/2001/10/xml-exc-c14n#",
        TIME_STAMP, "Exclude=False",
        LAST);

Lastly, I notice that WSS4J's WSCONSTANTS contains UT_NOPASSWORD which I believe is the same setting.

Is there any way to achieve the same using the jmeter ws security plugin?

I have made various attempts using the Username preprocessor with no success. I have also tried to add username fields to the raw body of the message but without the password fields present, it will not sign it.

Any help or advice is much appreciated as we would like to use jmeter with ws-security to load test our endpoints.

Thanks for your help!

[tilln]

I'll only be able to look into implementing this after the Xmas holidays.

However, when you manually add the username token it should be signed, provided you include it in the "Parts to Sign" list.

Below example works for me:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <wsse:UsernameToken>
                <wsse:Username>${username}</wsse:Username>
            </wsse:UsernameToken>
        </wsse:Security>
    </soap:Header>
    <soap:Body>
        <yourContentsHere/>
    </soap:Body>
</soap:Envelope>

Name	Namespace	Encode
Body	http://schemas.xmlsoap.org/soap/envelope/
UsernameToken	http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd

[richman555]

Thank you for your prompt response!

We will try your suggestion and get back to you as I believe we had tried this solution and it didn't work (could be an error on our part). We will confirm it and respond back.

Have a great holiday!

[richman555]

Thanks tilln, we have been able to get this working by adding UsernameToken and Timestamp in the headers as you suggested. We did use a bean preprocessor in order to set the create and expire times for the timestamp. This workaround works for us for now completely. A Timestamp preprocessor and UsernameToken preprocessor 'No Password' support would be great items for consideration in the future. :)

Thanks for your help!

[tilln]

@richman555 That's good to hear. Check out the 1.5 snapshot release which includes a Timestamp preprocessor.

[richman555]

@tilln Thanks for your help and I will definitely try the Timestamp preprocessor as well that is in the snapshot. I didn't realize this feature was in the pipeline. For now I will close out this issue and if you decide to add No Password feature for a UsernameToken in the future I would be happy to help. Thanks again this plugin is very helpful!

[tilln]

Added to 1.5-SNAPSHOT

@richman555 since you offered to help - this could use some testing...

[richman555]

@tilln Thanks! We will take this snapshot and be testing it today. We will report back with our results. Thanks again for your help!

[richman555]

@tilln Just an update that we have been using the 1.5-SNAPSHOT (using UsernameToken and Timestamp preprocessor) all week without any issues found with our web service calls. Just making you aware that we have been testing with the snapshot. Thanks for your help!