View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0010451 | CTT UA Scripts | 1 - Script Issue | public | 2025-07-26 08:34 | 2025-08-08 19:52 |
| Reporter | Sebastian Allmendinger | Assigned To | Sebastian Allmendinger | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 1.04.508 | ||||
| Summary | 0010451: Security User Name Password 006.js test fails with SecurityPolicyNone and empty password | ||||
| Description | If SecurityPolicyNone is used, no serverNonce is appended to the password field according to: UserNameIdentityToken: https://reference.opcfoundation.org/Core/Part4/v104/docs/7.36.4 Test case expects ActivateSessionRequest to fail as the serverNonce is missing. However, that is standard behaviour if SecurityPolicyNone is used and the request should succeed. Of course, SecurityPolicyNone is not recommended to be used but, as I understand it, v1.0,4 specifications doesn't forbid using it. Could the test case take into account the used security policy and, for example, not run the test if SecurityPolicyNone is used or then allow success in that case? As an additional thing, the test could use the configured password so that it really tests the missing serverNonce and doesn't succeed because BadUserAccessDenied is returned. | ||||
| Steps To Reproduce | Have user with empty password configured in UACTT settings. | ||||
| Additional Information | Actually the product version that I'm using seems to be 1.04.11.508 but that wasn't available in the drop down. Wireshark log and test log attached. | ||||
| Tags | No tags attached. | ||||
| Files Affected | /maintree/Security/Security User Name Password/Test Cases/006.js | ||||
| related to | 0009813 | resolved | Sebastian Allmendinger | CTT UA Test Case | Security User Name Password 006.js test fails with SecurityPolicyNone and empty password |
|
|
Agreed in call that the Nounce needs to be included, we believe this is no script changes |
|
|
This issue may require another discussion before closing it. Part 4, 7.41.4 UserNameIdentityToken Part 4, 7.41.2.2 Legacy Encrypted Token Secret Format |
|
|
After additional review - the nonce only needs to be included in some cases - this testing become much more complicated to cover all cases (probably additional test cases) - but for this specific test a simple update is ok. |
|
|
A note has been added to the description of the test case, explaining that Good may be a valid result. In case of an unencrypted password, the expecation has been updated to Good (in case empty pw is correct), Bad_UserAccessDenied or Bad_UserIdentityTokenRejected. Also a Recommendation has been added that an unencrypted password should never be used. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-07-26 08:34 | Sebastian Allmendinger | New Issue | |
| 2025-07-26 08:34 | Sebastian Allmendinger | Status | new => assigned |
| 2025-07-26 08:34 | Sebastian Allmendinger | Assigned To | => Sebastian Allmendinger |
| 2025-07-26 08:34 | Sebastian Allmendinger | Issue generated from: 0009813 | |
| 2025-07-26 08:34 | Sebastian Allmendinger | Note Added: 0023163 | |
| 2025-07-26 08:34 | Sebastian Allmendinger | Note Added: 0023164 | |
| 2025-07-26 08:34 | Sebastian Allmendinger | Note Added: 0023165 | |
| 2025-07-26 08:34 | Sebastian Allmendinger | Relationship added | related to 0009813 |
| 2025-07-26 09:17 | Sebastian Allmendinger | Files Affected | => /maintree/Security/Security User Name Password/Test Cases/006.js |
| 2025-08-08 19:52 | Sebastian Allmendinger | Status | assigned => resolved |
| 2025-08-08 19:52 | Sebastian Allmendinger | Resolution | open => fixed |
| 2025-08-08 19:52 | Sebastian Allmendinger | Note Added: 0023217 |
