Wednesday, 11 February 2015

JMeter - Generating WSS UsernameToken with PasswordDigest, Noonce and Timestamp

Recently, I was tasked to do some performance testing for a web service that was using WSS UsernameToken for authentication. So illustration purposes, it looked like so:

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="">


<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="" xmlns:wsu="">

<wsse:UsernameToken xmlns:wsse="" xmlns:wsu="" wsu:Id="UsernameToken-76C2EC437437B987531423677905104107">
<wsse:Password Type="">c/QVFZ+qsKvL3bDJzPkp/pmYpjY=</wsse:Password>
<wsse:Nonce EncodingType="">4o1vEGk5DLAWyV9TufAKDQ==</wsse:Nonce>



At first, you would think that JMeter would already have generation of the header present - but unfortunately, that is not the case. You have to use a BeanShell PreProcessor to generate this header. The solution presented here uses two additional jars, that have to be added to the lib folder in JMeter:

  1. wss4j-1.6.12.jar
  2. xmlsec-1.5.7.jar
Now you must add a BeanShell Preprocessor to your HTTP Request. Ensure that you have the ${noonce} placeholder within the security tag of the soap header. Our preprocessor will fill this with the username token.

Finally, attach the following script to the BeanShell Preprocessor:


  1. This comment has been removed by the author.

  2. This comment has been removed by the author.