Feb 13, 2011

Invoking A Secured Web Service With soapUI

soapUI is very useful and handy when it comes to testing web services. Although it is pretty straight forward to test a normal web service using soapUI, testing a secured service requires some additional steps.

In this article, I will walk you through the steps on how to configure the soapUI to invoke a secured service.

I will be using the sample HelloService which is shipped with WSO2 Application Server.

First let's set up soapUI for invoking this service without any security.

- Access the WSDL of the service through the Application Server Management Console and save it to the file system. The WSDL will be accessible from the following URL.


[ If you are running it on localhost with default ports, then it will be http://localhost:9763/services/HelloService?wsdl. ]

- Create a new project in SOAPUI pointing to the WSDL of the service. ( File -> New Project )

- Try invoking the 'greet' operation of the 'HelloService' using the generated request after adding a parameter value. You can use either the SOAP11 binding or SOAP12 binding.

- Now you will get a response from the HelloService.

Now we have got the basic setup working. As the next step, let's secure the service.

In this post, I am using a policy which enforces the following requirements and constraints.
  • Using Asymmetric Binding
  • Including the Time Stamp in the request
  • Signing the SOAP body
  • Using Basic-256 algorithmic suit

To start configuring the security for the service, click on the 'Security' link of the QoS section of HelloService dashboard.

Based on the requirements defined above, we can use the security scenario #2 for this post.

To keep things simple, lets use the default primary key store shipped with Carbon, wso2carbon.jks, as the key store and the trust store.

Now everything is set up at the service's end. If you invoke the service using the previous request, you will get a SOAP fault with the error 'Missing wsse:Security header in request'. Since the service is secured, now all the requests to that service should be secured according to the security policy enforced by the service.

Now let's start configuring soapUI to communicate with the HelloService in a secured manner.

- Open the 'Project View' of the project. (Right click on the project -> select 'Show Project View)

- Now select the 'Security Configurations' tab.

There will be three configuration tabs under the 'Security Configurations' tab for configuring out-flow security, in-flow security and key stores/certificates.

First let's configure key stores and certificates used in this scenario. Since the policy uses an asymmetric binding, the request should be signed using the private key of the client. And the service signs the response with its private key. So it is required to set up a key store with the client's private key and a trust store with the service's public certificate installed. As the client side key store and trust store, I am using the same wso2carbon.jks which was used for securing the service.

[ Note : I am using the same key store at the client's end as well as in the service's end to keep this post more concise by eliminating the additional steps required to setup different key stores for both ends. ]

- Go to the 'Keystores/Certificates' tab and click on '+' sign to add a new key store. Point to the key store in the file system. (In AS distribution, this key store is available under the  resources/security directory. )

- Enter the key store password when prompted. [The default key store password for wso2carbon.jks is 'wso2carbon'. ]

- Now the added key store will be listed in the key stores list.

- Since we are using our private key to sign the message, we need to point to the private key using its alias and provide the private key password. Edit the 'Default Alias' and 'Alias Password' columns manually and press 'Enter'. [ For wso2carbon.jks, default alias is wso2carbon and alias password is wso2carbon ]

Now let's configure the Out-flow security. Switch to the 'Outgoing WS-Security Configurations' tab.

First add a new security configuration for out-flow security. soapUI allows you to define multiple security configurations, and pick one of them for each out going request. Just click on the '+' sign right below the 'Outgoing WS-Security Configurations' tab and create a new security configuration.

Set the 'Must Understand' value of the security header to true by ticking the 'Must Understand' check box.

Now let's add different bottom WSS elements to this newly created security configuration.

First let's add a time stamp element.

Click on the '+' sign in top left corner of the bottom tab. (Please make sure that the out flow security configuration you just added is selected at this moment.)

Select the 'Timestamp' as the element type from the prompted drop-down box.

Now set the TTL (Time to Live) value for the time stamp. In this case, I have set it to 300000 milli seconds which is considered as the default time stamp validity period.

Now let's add another WSS element for getting SOAP body signed. This time, select the element type as 'Signature'.

Next, it is required to configure this element accordingly. Use the following values for this configuration.

Key Store - The key store with the private key [wso2carbon.jks]

Alias - private key alias [wso2carbon]

Password - private key password [wso2carbon]

Key Identifier Type - Binary Security Token [Since the policy uses 'AlwaysToRecipient' as the value of the IncludeToken attribute of the InitiatorToken assertion, it is required to include the X.509 certificate in the request. In this case, let's include it as a BST.]

Signature Algorithm - Select 'Default' or 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'

Signature Canonicalization - Select 'Default' or 'http://www.w3.org/2001/10/xml-exc-c14n#'

Use Single Certificate - Set 'true'

Parts - Add a new sign part for SOAP body. For that use the following values

ID - [keep it as blank]
Name - Body
Encode - Content

After configuring the signature element, it will look something similar to the following.

Now we are done with the out-flow security configuration.

Now let's set up the inflow security for the responses. For that select the 'Incoming WS-Security Configurations' tab.

Click on the '+' sign to add a new security configuration.

In the created inflow security configuration, set the trust store [wso2carbon.jks] as the signature key store and its password [wso2carbon].

Now we have successfully configured the inflow security as well.

Now save the project.

Now let's try sending a request to the HelloService with the security configurations we have set up few moments ago.

Select the 'Authentication and Security Related Settings' option from the bottom panel of the Request window.

Then select the 'Incoming WSS' and 'Outgoing WSS' configurations.

Then you need to disable the pretty print option for responses. Otherwise, the signature validation of the response will be failed. Select the 'Pretty Print' option from the Request Properties and set its value to false.

Now try invoking the 'greet' operation of the HelloService. You will get a secured response. Also the security processing results will be displayed in the 'WSS' section of the response.

So we have successfully invoked a secured service with soapUI.

In this post, we looked at using soapUI to sign a part of the request. In our next post, let's try to use soapUI for invoking a service which enforces some encryption requirements in addition to integrity requirements.


Manikadan said...

grt post!

ultimate99 said...

how to invoke a secure Axis2 web service with BPEL?

ultimate99 said...

How to invoke a secure Axis2 web service with BPEL?

rulo said...

I followed all steps and i get:

[2011-07-18 16:23:28,694] ERROR {org.apache.axis2.engine.AxisEngine} - Message is not signed
org.apache.axis2.AxisFault: Message is not signed

rulo said...

I followed all the steps and i get:

[2011-07-18 16:23:28,694] ERROR {org.apache.axis2.engine.AxisEngine} - Message is not signed
org.apache.axis2.AxisFault: Message is not signed

Piyush said...

I followed all the steps and m gettin :

[2011-09-29 07:09:01,130] ERROR - AxisEngine Message is not signed
org.apache.axis2.AxisFault: Message is not signed
..please can anyone help me on this..

suresh said...

Hi All,
If you guys are using SoapUI 4.X , you have to select a Digest algorithm, leaving it to cases to Message not signed error.

Laurent Even said...

Hi all,

I followed this tutorial and I've got this error :
org.apache.axis2.AxisFault: Error in getting password for user : "wso2carbon"

suresh : I've configured a digest algorithm

I tried to create my own certificate and I also got this error.

Any helps??


Innovapath said...

Excellent Post. Also visit http://whiteboxqa.com/selenium.

Post a Comment