Bug? WS authentication only accepts lowercase SHA-1

I am working with OpenClinica 3.2 with WS; connecting from a Java program.

Since I do not have experience with Spring I tried to avoid using the whole stack just for authentication in the WS and I generated the client classes with CXF and JAXB.

I calculated the SHA-1 of the password using an online generator (it is a development machine) and found that if I wrote the SHA-1 string in uppercase it did not work, which is odd (the SHA-1 is just the hexadecimal representation of a number, so in general it does not matter if it is uppercase or lowercase).

I have searched the forum and the only reference I can find is here: https://forums.openclinica.com/discussion/comment/8262#Comment_8262; which is pretty old.

I think this should be fixed or at the very least documented.



  • toskriptoskrip Posts: 240 ✭✭

    I would not call it a bug although it could be explicitly documented. For authentication purposes OC needs to compare two String representations of user password hash. One that you provided in SOAP call and one which was read from database. Equality comparison of Strings in Java is always case sensitive. If you would look into the database you would see that the password hashes are persisted in smaller case and this would be your hint that SOAP would also require small case hashes.

  • Snoopy76Snoopy76 Posts: 12
    toskrip said:

    Equality comparison of Strings in Java is always case sensitive.

    No it is not.

    And even if you cannot for some reason use the `equalsIgnoreCase` method, the conversion to lower case should be done server side.

  • toskriptoskrip Posts: 240 ✭✭
    should or could... by default the comparison is case sensitive, no reason to discuss this any further. You can create an issue ticket in OC jira if you are unhappy about such behaviour however be aware that SOAP services are not actively developed any more so it is very unlikely to expect any changes there.

  • Snoopy76Snoopy76 Posts: 12
    About your last comment on SOAP services not being actively developed... Does that mean that if I plan to add new services / methods it would be better (or easier to integrate) if I used REST?
  • ccollinsccollins Posts: 360 admin
    Yes, the SOAP services are in maintenance-only mode so adding new REST services is the way to go as far as getting changes merged into the main branch.
Sign In or Register to comment.