SoapUI Security Issues
Hi Ole,
As discussed in the training class about the security configuration issues please find the requested data and the files attached in this post
we have developed web services implemented with jax-ws. our app server is jboss 4.2.3. we use the jbossws metro 3.1.0 web services stack which is made up of the following components:
* WSIT 1.3.1
* JAX-WS RI 2.1.4
* JAXB RI 2.1.9
we can successfully functional test our web services with soapui 2.5.1. that is: we can successfully send soapui-generated unsecured plaintext soap messages; without the wsit security configuration on the service.
the issue is: we are using the metro/wsit framework to secure our web services messages. wsit is based on ws-securitypolicy. according to previous posts to this forum soapui 2.5.1 does not support ws-securitypolicy (see [1] & [2] below).
we have been able to configure soapui so that the soap request that soapui generates looks superficially right (see attached "soapui-generated_ws-security_soap_request_0.xml"). but when we send that soapui-generated ws-security soap requests to our ws-securitypolicy service, the ws-security soap message headers that soapui generated fail to meet the requirements of our ws-securitypolicy assertions (see attached "soap_response_to_soapui-generated_ws-security_0.xml"). soapui also reported an exception when i commanded it to send the request (see attached "Compression_algorithm_not_supported_exception.log").
as other posts to this forum suggest (see [1] & [2] below), instead of relying on the soapui-generated ws-security headers (which don't work with our ws-securitypolicy service), we "manually" added the appropriate headers to the request (see attached "wsit_framework-generated_ws-securitypolicy_soap_request_0.xml"). soapui sent the manually-created request to our ws-securitypolicy service and the service replied to soapui with the attached response (see attached "soap_response_to_wsit_framework-generated_ws-securitypolicy_0.xml"). the problem is: although our manually-created ws-securitypolicy request was successfully processed by our ws-securitypolicy service, when our service passed the response back to soapui, soapui displayed the response, but soapui did not decrypt any of the encrypted payload that the service responded with.
please, can you suggest either a full-fledged fix or some kind of work-around? ideally, we would like to:
a) have soapui generate ws-securitypolicy-compatible soap header elements
b) have soapui display the decrypted soap response sent from our ws-securitypolicy service
[1] http://www.eviware.com/forums/http://ww ... 1488#p1488
[2] http://www.eviware.com/forums/http://ww ... 5590#p5590
As discussed in the training class about the security configuration issues please find the requested data and the files attached in this post
we have developed web services implemented with jax-ws. our app server is jboss 4.2.3. we use the jbossws metro 3.1.0 web services stack which is made up of the following components:
* WSIT 1.3.1
* JAX-WS RI 2.1.4
* JAXB RI 2.1.9
we can successfully functional test our web services with soapui 2.5.1. that is: we can successfully send soapui-generated unsecured plaintext soap messages; without the wsit security configuration on the service.
the issue is: we are using the metro/wsit framework to secure our web services messages. wsit is based on ws-securitypolicy. according to previous posts to this forum soapui 2.5.1 does not support ws-securitypolicy (see [1] & [2] below).
we have been able to configure soapui so that the soap request that soapui generates looks superficially right (see attached "soapui-generated_ws-security_soap_request_0.xml"). but when we send that soapui-generated ws-security soap requests to our ws-securitypolicy service, the ws-security soap message headers that soapui generated fail to meet the requirements of our ws-securitypolicy assertions (see attached "soap_response_to_soapui-generated_ws-security_0.xml"). soapui also reported an exception when i commanded it to send the request (see attached "Compression_algorithm_not_supported_exception.log").
as other posts to this forum suggest (see [1] & [2] below), instead of relying on the soapui-generated ws-security headers (which don't work with our ws-securitypolicy service), we "manually" added the appropriate headers to the request (see attached "wsit_framework-generated_ws-securitypolicy_soap_request_0.xml"). soapui sent the manually-created request to our ws-securitypolicy service and the service replied to soapui with the attached response (see attached "soap_response_to_wsit_framework-generated_ws-securitypolicy_0.xml"). the problem is: although our manually-created ws-securitypolicy request was successfully processed by our ws-securitypolicy service, when our service passed the response back to soapui, soapui displayed the response, but soapui did not decrypt any of the encrypted payload that the service responded with.
please, can you suggest either a full-fledged fix or some kind of work-around? ideally, we would like to:
a) have soapui generate ws-securitypolicy-compatible soap header elements
b) have soapui display the decrypted soap response sent from our ws-securitypolicy service
[1] http://www.eviware.com/forums/http://ww ... 1488#p1488
[2] http://www.eviware.com/forums/http://ww ... 5590#p5590
