Forum Discussion

ChristianB's avatar
ChristianB
Contributor
11 years ago

Where to specify the request template used in security tests

Hi everybody,

I use a SOAP project and am running SoapUI 4.6.4.

When I set up a security test, that test seems to be based on the default/plain request template as it gets generated from the WSDL. The problem with that is that the question mark (?) place-holders are everywhere - as are optional XML elements - and when there is a choice of elements, all of them get sent as well. (So the request is violating the schema, even before SoapUI has manipulated a single parameter in it yet.)

How can I specify which template my test should use, so I can ensure default values are used for those elements that my security scan isn't manipulating. How do I manage to send a request in that hasn't got question marks and superfluous elements everywhere?

Kind regards,

Christian

2 Replies

  • PaulDonny's avatar
    PaulDonny
    Regular Contributor
    11 years ago
    Christian, this is something I often considered and pondered as well. The reasoning, I believe, is that if SoapUI displays the values as null it will just have the XML as <ns1:example/> all across the testStep. If you want to change them to null, or a default property, just manually edit them or parse them using groovy prior to passing them.

    I have posted Java code on the forum elsewhere that does handle this and it should work within groovy to be able to handle what you need. However, my Java uses things like hashMaps where you will have to edit the code and have it use a property or DataSink within SoapUI. Here is some sample code.



    NodeList nodes = XmlUtils.parseXml(operation.getRequestAt(0).getRequestContent()).getChildNodes();
    parseNodes(nodes,operation.getName());


        static void parseNodes(NodeList nodeList, String testName) {
            for (int i = 0; i < nodeList.getLength(); i++) {
                Node childNode = nodeList.item(i);
                if (childNode.getLocalName() != null && !childNode.getLocalName().equals("null") && config.containsKey(testName.toLowerCase())) {
                    if (loopers.containsKey(childNode.getLocalName().toLowerCase())) {
                        System.out.println(loopers.get(childNode.getLocalName().toLowerCase()));
                        for (int j = 0; j<Integer.parseInt(loopers.get(childNode.getLocalName().toLowerCase())); j++) {
                            Node clone = childNode.cloneNode(true);
                            childNode.getParentNode().insertBefore(clone,childNode);
                        }
                        childNode.getParentNode().removeChild(childNode);
                        loopers.remove(childNode.getLocalName().toLowerCase());
                    }
                }
                NodeList children = childNode.getChildNodes();
                if (children != null) {
                    parseNodes(children, testName);
                }
            }
        }




    What this code does is 2 things:

    1) Uses a "loopers" map to change the XML where multiple are allowed. It's rather barbaric in the way it handles it since that function was a test function that I no longer use.

    2) Uses a properties map to grab the information from and insert into the XML based on the name of the XML tag. I am now using an XPath based system, I would suggest you do the same.
  • ChristianB's avatar
    ChristianB
    Contributor
    11 years ago
    Hi Paul,

    Thank you for sharing! I have found out that, after a restart and when running the Security Test (i.e. all Security Scans from top, though i have only tested this with one scan present), it did pick up the underlying TestStep's request (prepared to be valid and working, with no unnecessary clutter) and just manipulated the nodes (parameters) I had specified....