Wednesday, February 12, 2020

12c SOA - How to use WS Security username and Password policy for Web Services in soapUI

Why we need WS Security:
WS-Security (Web Services Security, short WSS) is a flexible and feature-rich extension to SOAP to apply security to web services.While doing Web Services/ SOA Testing, one has to make sure that the services are secured enough. Proper authorization and authorization needs to be implemented for web sercvices. Lacking of this can provide access to data and non public information of an organization to outside world.
WS Security can be implemented by creating different security policies. In this post, let us see how can we test WS Security using username and password token of a web service using soapUI.

Steps:
Double click on the test request from the test steps. Navigate to the tab "Auth" at the bottom of the request.
 Add New Authorization
 Type Basic
 Give the username, password and domain.
 Now go to the XML version of the request, right click there. Click on the tab "Add WSS Username Token. Select "Password Text" to send the password in plain text or select "Password Digest" to use an encrypted password.


You might also right click and select "Add WS-Timestamp" to add a creation/ expiration time stamp to the security header.This will create an entry like the one below under the <Security> element for the request.

Sample Request payload:
<soapenv:Envelope xmlns:emp="http://www.emp.test" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <wsu:Timestamp wsu:Id="TS-81CB99D5C318DB117215815012695444">
            <wsu:Created>2020-02-12T09:54:29.543Z</wsu:Created>
            <wsu:Expires>2020-02-12T09:55:29.543Z</wsu:Expires>
         </wsu:Timestamp>
         <wsse:UsernameToken wsu:Id="UsernameToken-81CB99D5C318DB117215815007891653">
            <wsse:Username>wsstest</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">wsstest12</wsse:Password>
            <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">WfBcHW3uJNb82JstzP17tg==</wsse:Nonce>
            <wsu:Created>2020-02-12T09:46:29.165Z</wsu:Created>
         </wsse:UsernameToken>
      </wsse:Security>
      <emp:requestHeader>
         <!--Optional:-->
         <emp:User>user1</emp:User>
         <!--Optional:-->
         <emp:Id>id1</emp:Id>
      </emp:requestHeader>
   </soapenv:Header>
   <soapenv:Body>
      <emp:EmployeeRequest>
         <emp:EmpId>1</emp:EmpId>
         <emp:EmpName>en</emp:EmpName>
         <emp:Address>ad</emp:Address>
      </emp:EmployeeRequest>
   </soapenv:Body>
</soapenv:Envelope>

No comments:

Post a Comment

Featured Post

11g to 12c OSB projects migration points

1. Export 11g OSB code and import in 12c Jdeveloper. Steps to import OSB project in Jdeveloper:   File⇾Import⇾Service Bus Resources⇾ Se...