Forum Discussion

thatsthat's avatar
thatsthat
Contributor
2 years ago

After upgrade to ReadyAPI 3.4.6 all of my requests are failing as security header is no longer sent

 

Strangest issue.

 

I upgraded to ReadyAPI 3.4.6 ( Build Date: 2023-05-11T09:29:01Z(1) 133f67b0fdcf5ba2d9e5ef029887969c5d7e454d) today.

 

I have about 2000 API requests pointing to my company's API ...and they all fail now where they working minutes before on the previous version.

 

I loaded up a copy of Soap UI .. the same requests work fine in that application.

 

I traced it down to the fact that the wsse:Security header entry (the portion below) is no longer being sent when I make requests .. hence why my server keeps returning 'Invalid Password' .. is there a setting in the Preferences that may have been alterred during upgrade?

 

<soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1"><wsu:Timestamp wsu:Id="TS-27295C8A48F4535CD416844900173494"><wsu:Created>2023-05-19T09:53:37Z</wsu:Created><wsu:Expires>2023-05-19T09:58:37Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken wsu:Id="UsernameToken-27295C8A48F4535CD416844900173493"><wsse:Username>voyagefr*xml</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">CJC6te4IDurZ0iuBNQrMC61YAJ0=</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">23PO9w4F3jqveObVUcMDlw==</wsse:Nonce><wsu:Created>2023-05-19T09:53:37.349Z</wsu:Created></wsse:UsernameToken></wsse:Security></soapenv:Header>
  • bobkaine's avatar
    bobkaine
    New Contributor

    I'm receiving the exact same error after upgrading from 3.10.1 to 3.46.1.
    Did you ever figure out what was causing this behavior, how to fix it?

    • thatsthat's avatar
      thatsthat
      Contributor

      Hi bobkaine - no solution yet; I raised a ticket with support on May 19th .. they just got back to me June 6th and I have followed up with them again earlier this week and they said they are still investigating. As soon as I hear of a solution I will post here. Has to be some global setting that has changed. The APIs use WS-Security ( https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss ) so wonderingif it is specific to this?

  • barto's avatar
    barto
    New Contributor

    bobkaine thatsthat - I've just had and sorted the issue we were having, hopefully this helps you too. 

    Before 3.4.0 the combination of request properties and environment managed the attributes to set the WS-Security attributes you needed. Since the upgrade you now need to set that in the WS-Security config. For our API it meant I needed to add a new entry in Outgoing WS-Security Configurations for every application credential for every environment and I added in just the Username attribute so it could take that username, password, nonce, password type and must understand which were the attributes our application wanted.

    This is the documentation from readyAPI on how to add the WS-Security attributes.

    • thatsthat's avatar
      thatsthat
      Contributor

      Hi barto and bobkaine 

      Fyi .. this 'problem' is fixed in the next release of Ready API 3.5 which will come out in a week's time. I never implemented the solutions proposed by you (i am confident they would work!) as I am not advanced enough to get it going .. good news the software will handle this again natively.

  • I am now seeing this in the logs:

     

    Fri May 19 21:50:56 AEST 2023: ERROR: An error occurred [Cannot invoke "org.w3c.dom.Element.getFirstChild()" because "parent" is null], see error log for details

     

    2023-05-19 21:50:56,501 ERROR [errorlog] java.lang.NullPointerException: Cannot invoke "org.w3c.dom.Element.getFirstChild()" because "parent" is null
    java.lang.NullPointerException: Cannot invoke "org.w3c.dom.Element.getFirstChild()" because "parent" is null
    at org.apache.wss4j.dom.util.WSSecurityUtil.prependChildElement(WSSecurityUtil.java:354) ~[wss4j-ws-security-dom-3.0.0.jar:3.0.0]
    at org.apache.wss4j.dom.message.WSSecUsernameToken.prependToHeader(WSSecUsernameToken.java:198) ~[wss4j-ws-security-dom-3.0.0.jar:3.0.0]
    at org.apache.wss4j.dom.message.WSSecUsernameToken.build(WSSecUsernameToken.java:229) ~[wss4j-ws-security-dom-3.0.0.jar:3.0.0]
    at org.apache.wss4j.dom.message.WSSecUsernameToken.build(WSSecUsernameToken.java:235) ~[wss4j-ws-security-dom-3.0.0.jar:3.0.0]
    at com.eviware.soapui.impl.wsdl.submit.filters.WssAuthenticationRequestFilter.setWssUsernameToken(WssAuthenticationRequestFilter.java:146) ~[ready-api-soapui-3.46.0.jar:3.46.0]
    at com.eviware.soapui.impl.wsdl.submit.filters.WssAuthenticationRequestFilter.setWssHeaders(WssAuthenticationRequestFilter.java:81) ~[ready-api-soapui-3.46.0.jar:3.46.0]
    at com.eviware.soapui.impl.wsdl.submit.filters.WssAuthenticationRequestFilter.filterWsdlRequest(WssAuthenticationRequestFilter.java:60) [ready-api-soapui-3.46.0.jar:3.46.0]
    at com.eviware.soapui.impl.wsdl.submit.filters.AbstractRequestFilter.filterAbstractHttpRequest(AbstractRequestFilter.java:40) [ready-api-soapui-3.46.0.jar:3.46.0]
    at com.eviware.soapui.impl.wsdl.submit.filters.AbstractRequestFilter.filterRequest(AbstractRequestFilter.java:34) [ready-api-soapui-3.46.0.jar:3.46.0]
    at com.eviware.soapui.impl.wsdl.submit.transports.http.HttpClientRequestTransport.filterRequest(HttpClientRequestTransport.java:420) [ready-api-soapui-3.46.0.jar:3.46.0]
    at com.eviware.soapui.impl.wsdl.submit.transports.http.HttpClientRequestTransport.followRedirects(HttpClientRequestTransport.java:369) [ready-api-soapui-3.46.0.jar:3.46.0]
    at com.eviware.soapui.impl.wsdl.submit.transports.http.HttpClientRequestTransport.sendRequest(HttpClientRequestTransport.java:261) [ready-api-soapui-3.46.0.jar:3.46.0]
    at com.eviware.soapui.impl.wsdl.WsdlSubmit.run(WsdlSubmit.java:130) [ready-api-soapui-3.46.0.jar:3.46.0]
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) [?:?]
    at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
    at java.lang.Thread.run(Thread.java:833) [?:?]
  • bobkaine's avatar
    bobkaine
    New Contributor
    Seems likely. I get the error when I right-click in the header of the XML, select “Add WSS Username Token”, and select either PasswordText or PasswordDigest from the drop-down, and click “Ok”. I can “Add WS-Timestamp” without issue.
    Hope that helps.
    • thatsthat's avatar
      thatsthat
      Contributor

      No news yet mate .. been waiting weeks now .. I emailed them to advise to look at this thread to demonstrate that others have the same problem.