This will be the last 'hands-on' article about testing Oracle WSM setup with SoapUI. I have posted about two other examples here and here. In this example Oracle WSM is configured to verify the signature of the incoming SOAP message (request) and to add a digital signature to the outgoing message (response). How to arrange this in Oracle WSM is described in the book so I won't describe that here. What I will show is how to setup SoapUI to test the OWSM setup.
The WSDL for which I created a new project in SoapUI is:

PLAIN TEXT
XML:
  1. <definitions name="TimeService" targetNamespace="urn:Test:TimeService" xmlns:tns="urn:Test:TimeService" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns="http://schemas.xmlsoap.org/wsdl/">
  2.    <message name="getTime0SoapIn">
  3.       <part name="format" type="xsd:string"/>
  4.    </message>
  5.    <message name="getTime0SoapOut">
  6.       <part name="Result" type="xsd:string"/>
  7.    </message>
  8.    <portType name="TimeServiceSoap">
  9.       <operation name="getTime" parameterOrder="format">
  10.          <input name="getTime0SoapIn" message="tns:getTime0SoapIn"/>
  11.          <output name="getTime0SoapOut" message="tns:getTime0SoapOut"/>
  12.       </operation>
  13.    </portType>
  14.    <binding name="TimeServiceSoap" type="tns:TimeServiceSoap">
  15.       <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
  16.       <operation name="getTime">
  17.          <soap:operation soapAction="getTime" style="rpc"/>
  18.          <input name="getTime0SoapIn">
  19.             <soap:body use="encoded" namespace="urn:Test:GetTime" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
  20.          </input>
  21.          <output name="getTime0SoapOut">
  22.             <soap:body use="encoded" namespace="urn:Test:GetTime" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
  23.          </output>
  24.       </operation>
  25.    </binding>
  26.    <service name="TimeService">
  27.       <port name="TimeServiceSoap" binding="tns:TimeServiceSoap">
  28.          <soap:address location="http://localhost:3115/gateway/services/SID0003004"/>
  29.       </port>
  30.    </service>
  31. </definitions>

The configuration for the verification of the SOAP request is configured in Oracle WSM like this:

To have SoapUI adding a signature to the outgoing request I took the following steps:

  • added my keystore to the project:

  • added a configuration step called 'SignRequest' to the project as Outgoing WS-Security Configuration:
  • added a configuration step called 'verifySignature' to the project as Incoming WS-Security Configuration:
  • configured the SOAP request with which the OWSM is tested:

Now with all this in place I sent the request and received the following response:

PLAIN TEXT
XML:
  1. <soap-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  2.    <soap-ENV:Body>
  3.       <soap-ENV:Fault>
  4.          <faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">p:Client.GenericFault</faultcode>
  5.          <faultstring>WS-Security process failure:null</faultstring>
  6.          <detail/>
  7.       </soap-ENV:Fault>
  8.    </soap-ENV:Body>
  9. </soap-ENV:Envelope>

It took some time before I realized the error was not my configuration of SoapUI. In the log file of OWSM I found this stacktrace:

2009-01-17 20:23:03,452 WARNING [HTTPThreadGroup-8] wssecurity.SecurityBaseStep - Failure while applying XML Security
java.lang.NullPointerException
at oracle.security.xmlsec.util.XMLNode.removeChild(Unknown Source)
at com.cfluent.policysteps.security.wssecurity.OSDTWSSecurity.decryptVerify(OSDTWSSecurity.java:538)
at com.cfluent.policysteps.security.wssecurity.VerifyStep.performXmlSecurity(VerifyStep.java:147)
at com.cfluent.policysteps.security.wssecurity.SecurityBaseStep.execute(SecurityBaseStep.java:238)
at com.cfluent.pipelineengine.container.DefaultPipeline.executeStep(DefaultPipeline.java:124)
at com.cfluent.pipelineengine.container.DefaultPipeline.execute(DefaultPipeline.java:97)
at com.cfluent.pipelineengine.container.DefaultPolicy$DeferredPipeline.execute(DefaultPolicy.java:63)
at com.cfluent.pipelineengine.container.DefaultPolicy$DeferredPipeline.access$300(DefaultPolicy.java:18)
at com.cfluent.pipelineengine.container.DefaultPolicy.execute(DefaultPolicy.java:126)
at com.cfluent.pipelineengine.container.PipelineContainer.execute(PipelineContainer.java:114)
at com.cfluent.agent.Agent.intercept(Agent.java:123)
at com.cfluent.agent.AgentRuntime.intercept(AgentRuntime.java:200)
at com.cfluent.pipelineengine.util.PolicyInvoker.execute(PolicyInvoker.java:30)
at com.cfluent.pipelineengine.util.InvokerChain.execute(InvokerChain.java:30)
at com.cfluent.gateway.Invoker.execute(Invoker.java:118)
at com.cfluent.gateway.listener.ProtocolListener$ListenerTask.run(ProtocolListener.java:272)
at com.cfluent.gateway.listener.ProtocolListener.invoke(ProtocolListener.java:110)
at com.cfluent.gateway.listener.GatewayRuntime.invoke(GatewayRuntime.java:32)
at com.cfluent.gateway.listener.http.HttpListener.invoke(HttpListener.java:30)
at com.cfluent.gateway.listener.http.ServicesServlet.handlePost(ServicesServlet.java:34)
at com.cfluent.common.servlet.BaseServlet.doPost(BaseServlet.java:264)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:711)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:368)
at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:866)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:448)
at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:216)
at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:117)
at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:110)
at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:239)
at oracle.oc4j.network.ServerSocketAcceptHandler.access$700(ServerSocketAcceptHandler.java:34)
at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:880)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)

Now this appears to be a bug (5897046) in OWSM as discussed here. Unfortunately I do not have access to MetaLink at the moment, so I cannot check for solutions or patches. The workaround I did was to skip the deletion of the signature in the incoming request:

Now when I send the request I get the response as expected:

PLAIN TEXT
XML:
  1. <soap:Envelope soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  2.    <soap:Header>
  3.       <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  4.          <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="_b5MY1ev1b2sj4s0nZL2VDg22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIICBDCCAW0CBElt0WUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCTkwxETAPBgNVBAoMCHBhbG1hLWl0MRIwEAYDVQQLDAlkZXZlbG9wZXIxEzARBgNVBAMMCnBhc2NhbGFsbWEwHhcNMDkwMTE0MTE0OTU3WhcNMDkwNzEzMTE0OTU3WjBJMQswCQYDVQQGEwJOTDERMA8GA1UECgwIcGFsbWEtaXQxEjAQBgNVBAsMCWRldmVsb3BlcjETMBEGA1UEAwwKcGFzY2FsYWxtYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApSBk3VobSFPMBuzkWpHvVsQLxWcICzOXWuhescOPqgvkQRfBl6g99v/O+73l0eJjrS/ayUf9fNs/VpUWrgHJ2AMD2/tRKrjfOV9YpG9HcupGB74ygpJ4lDy9VY6KxDDnNF0G6q1oJEZWhHkfupTZIZh70DzRVXqrzf6WqXOzd7MCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAGJAPB24oqfBSlUXXBg/krsKKKPKgpxKV5mpoSf+G9WVjIgK1lplURht2Wyecze91MKhQONMqecHqyIorzXmnO0DWa+ND7exDjcGw+tsagVrxIr1FG85QzJqic+l/uX2+8c5a5m85+o0qPLQeKAwc8DWuANJXIh7/Fy76H7CAMvg==</wsse:BinarySecurityToken>
  5.          <dsig:Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  6.             <dsig:SignedInfo>
  7.                <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  8.                <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  9.                <dsig:Reference URI="#519sSPHD1xaC8TcH23RKyA22">
  10.                   <dsig:Transforms>
  11.                      <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  12.                   </dsig:Transforms>
  13.                   <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  14.                   <dsig:DigestValue>lzj1qOFAUqEnuIqM2VGOfLDJ1x8=</dsig:DigestValue>
  15.                </dsig:Reference>
  16.                <dsig:Reference URI="#42uhaWCT0QoDrDGlwKsyZA22">
  17.                   <dsig:Transforms>
  18.                      <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  19.                   </dsig:Transforms>
  20.                   <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  21.                   <dsig:DigestValue>8qR3lN2UDPj2EknUuxaf5Xf+8Ic=</dsig:DigestValue>
  22.                </dsig:Reference>
  23.             </dsig:SignedInfo>
  24.          <dsig:SignatureValue>g9S4GajLoXFtNkLJHRDponTv3ubZe432onBI0xfqHQ1zqtt2lalDwnyxbitBjbLaBcu94Fr0FeL7vst50e6KoujrAwt3lCT3sCsKBnvTFZKRKicKf6AdqAkq+d2PyIr0w2gpGJD5ejot8HaYUhJyXI/ogPiYxUmHqXkJVGcZzQ0=</dsig:SignatureValue>
  25.             <dsig:KeyInfo>
  26.                <wsse:SecurityTokenReference wsu:Id="_Gn6xvVFEyg5rUp3hrpAfYg22" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  27.                   <wsse:Reference URI="#_b5MY1ev1b2sj4s0nZL2VDg22"/>
  28.                </wsse:SecurityTokenReference>
  29.             </dsig:KeyInfo>
  30.          </dsig:Signature>
  31.          <wsu:Timestamp wsu:Id="42uhaWCT0QoDrDGlwKsyZA22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  32.             <wsu:Created>2009-01-19T10:09:33Z</wsu:Created>
  33.          </wsu:Timestamp>
  34.       </wsse:Security>
  35.    </soap:Header>
  36.    <soap:Body wsu:Id="519sSPHD1xaC8TcH23RKyA22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  37.       <n:getTimeResponse xmlns:n="urn:Test:GetTime">
  38.          <result xsi:type="xsd:string">11:09 AM</result>
  39.       </n:getTimeResponse>
  40.    </soap:Body>
  41. </soap:Envelope>