Recent posts:
Recent replies:

Hi Ralf,
unfortunately you did not provide the policy.

It should look like this: (in Wizard, pick "Username Authentication over SSL/TLS" - leave everything else on the defaults!)

<cfg:configuration xmlns:cfg="http://www.intersystems.com/configuration" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:wsap="http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsp="http://www.w3.org/ns/ws-policy" name="service">
  <cfg:service classname="[your webservice-class]">
    <wsp:Policy>
      <sp:TransportBinding>
        <wsp:Policy>
          <sp:TransportToken>
            <wsp:Policy>
              <sp:HttpsToken>
                <wsp:Policy/>
              </sp:HttpsToken>
            </wsp:Policy>
          </sp:TransportToken>
          <sp:AlgorithmSuite>
            <wsp:Policy>
              <sp:Basic128/>
            </wsp:Policy>
          </sp:AlgorithmSuite>
          <sp:Layout>
            <wsp:Policy>
              <sp:Strict/>
            </wsp:Policy>
          </sp:Layout>
          <sp:IncludeTimestamp/>
        </wsp:Policy>
      </sp:TransportBinding>
      <sp:SignedSupportingTokens>
        <wsp:Policy>
          <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
            <wsp:Policy>
              <sp:WssUsernameToken11/>
            </wsp:Policy>
          </sp:UsernameToken>
        </wsp:Policy>
      </sp:SignedSupportingTokens>
      <wsap:UsingAddressing/>
    </wsp:Policy>
  </cfg:service>
</cfg:configuration>

In SOAPUI, enable WS-Addressing. Below the request-message there is a small button-line starting with [Auth] ... here you also find [WS-A] where you can find a checkbox to enable it.
Add the WS-A to the request. Right click on the request-message -> "WS-A headers"-> "Add WS-A headers".
Right click on request-message you can Add "WSS UsernameToken" and "WS-Timestamp" if you do not have configured that otherwise in general.

This works for me.

Please note: SOAP-logging (with "iosv" flags) is always a good help.

HTH,
Bernd

Currently, there is no API to request a new session cookie.

If we wished to implement this in the absence of any real security concern it would need to be scheduled by our product management and as en enhancement.

So far you have not suggested any compelling reason to do this.

Do you have an example of a valid attack against CSP?

Sorry, but I still do not see a general CSP related vulnerability problem here.

Please let us continue in WRC problem you've already opened for this same question recently.

Thanks and kind regards,
Bernd

to clarify. You have 3 possibilities:
- mg-dbx is a 3rd party product/connector (similar cache<nnnn>.node, iris<nnnn>.node, see next)
- cache<nnnn>.node, iris<nnnn>.node is InterSystems "legacy" node.js adaptor/connector. I don't know how long we will support it in future.
- Native API for node.js. This is InterSystems latest node.js API, recommended for new developments.
  See here: https://docs.intersystems.com/irislatest/csp/docbook/Doc.View.cls?KEY=PA...

Followers:
Bernd has no followers yet.
Following:
Global Masters badges:
Bernd has no Global Masters badges yet.