Why we need WS Security:
WS-Security (Web Services Security, short WSS) is a flexible and feature-rich extension to SOAP to apply security to web services.While doing Web Services/ SOA Testing, one has to make sure that the services are secured enough. Proper authorization and authorization needs to be implemented for web sercvices. Lacking of this can provide access to data and non public information of an organization to outside world.
WS Security can be implemented by creating different security policies. In this post, let us see how can we test WS Security using username and password token of a web service using soapUI.
Steps:
Double click on the test request from the test steps. Navigate to the tab "Auth" at the bottom of the request.
Add New Authorization
Type Basic
Give the username, password and domain.
Now go to the XML version of the request, right click there. Click on the tab "Add WSS Username Token. Select "Password Text" to send the password in plain text or select "Password Digest" to use an encrypted password.
You might also right click and select "Add WS-Timestamp" to add a creation/ expiration time stamp to the security header.This will create an entry like the one below under the <Security> element for the request.
Sample Request payload:
<soapenv:Envelope xmlns:emp="http://www.emp.test" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Timestamp wsu:Id="TS-81CB99D5C318DB117215815012695444">
<wsu:Created>2020-02-12T09:54:29.543Z</wsu:Created>
<wsu:Expires>2020-02-12T09:55:29.543Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="UsernameToken-81CB99D5C318DB117215815007891653">
<wsse:Username>wsstest</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">wsstest12</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">WfBcHW3uJNb82JstzP17tg==</wsse:Nonce>
<wsu:Created>2020-02-12T09:46:29.165Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
<emp:requestHeader>
<!--Optional:-->
<emp:User>user1</emp:User>
<!--Optional:-->
<emp:Id>id1</emp:Id>
</emp:requestHeader>
</soapenv:Header>
<soapenv:Body>
<emp:EmployeeRequest>
<emp:EmpId>1</emp:EmpId>
<emp:EmpName>en</emp:EmpName>
<emp:Address>ad</emp:Address>
</emp:EmployeeRequest>
</soapenv:Body>
</soapenv:Envelope>
WS-Security (Web Services Security, short WSS) is a flexible and feature-rich extension to SOAP to apply security to web services.While doing Web Services/ SOA Testing, one has to make sure that the services are secured enough. Proper authorization and authorization needs to be implemented for web sercvices. Lacking of this can provide access to data and non public information of an organization to outside world.
WS Security can be implemented by creating different security policies. In this post, let us see how can we test WS Security using username and password token of a web service using soapUI.
Steps:
Double click on the test request from the test steps. Navigate to the tab "Auth" at the bottom of the request.
Sample Request payload:
<soapenv:Envelope xmlns:emp="http://www.emp.test" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Timestamp wsu:Id="TS-81CB99D5C318DB117215815012695444">
<wsu:Created>2020-02-12T09:54:29.543Z</wsu:Created>
<wsu:Expires>2020-02-12T09:55:29.543Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="UsernameToken-81CB99D5C318DB117215815007891653">
<wsse:Username>wsstest</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">wsstest12</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">WfBcHW3uJNb82JstzP17tg==</wsse:Nonce>
<wsu:Created>2020-02-12T09:46:29.165Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
<emp:requestHeader>
<!--Optional:-->
<emp:User>user1</emp:User>
<!--Optional:-->
<emp:Id>id1</emp:Id>
</emp:requestHeader>
</soapenv:Header>
<soapenv:Body>
<emp:EmployeeRequest>
<emp:EmpId>1</emp:EmpId>
<emp:EmpName>en</emp:EmpName>
<emp:Address>ad</emp:Address>
</emp:EmployeeRequest>
</soapenv:Body>
</soapenv:Envelope>
No comments:
Post a Comment