This will be the last ‘hands-on’ article about testing Oracle WSM setup with SoapUI. I have posted about two other examples here and here. In this example Oracle WSM is configured to verify the signature of the incoming SOAP message (request) and to add a digital signature to the outgoing message (response). How to arrange this in Oracle WSM is described in the book so I won’t describe that here. What I will show is how to setup SoapUI to test the OWSM setup.
The WSDL for which I created a new project in SoapUI is:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | <definitions name="TimeService" targetNamespace="urn:Test:TimeService" xmlns:tns="urn:Test:TimeService" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns="http://schemas.xmlsoap.org/wsdl/"> <message name="getTime0SoapIn"> <part name="format" type="xsd:string"/> </message> <message name="getTime0SoapOut"> <part name="Result" type="xsd:string"/> </message> <portType name="TimeServiceSoap"> <operation name="getTime" parameterOrder="format"> <input name="getTime0SoapIn" message="tns:getTime0SoapIn"/> <output name="getTime0SoapOut" message="tns:getTime0SoapOut"/> </operation> </portType> <binding name="TimeServiceSoap" type="tns:TimeServiceSoap"> <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/> <operation name="getTime"> <soap:operation soapAction="getTime" style="rpc"/> <input name="getTime0SoapIn"> <soap:body use="encoded" namespace="urn:Test:GetTime" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/> </input> <output name="getTime0SoapOut"> <soap:body use="encoded" namespace="urn:Test:GetTime" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/> </output> </operation> </binding> <service name="TimeService"> <port name="TimeServiceSoap" binding="tns:TimeServiceSoap"> <soap:address location="http://localhost:3115/gateway/services/SID0003004"/> </port> </service> </definitions> |
The configuration for the verification of the SOAP request is configured in Oracle WSM like this:

To have SoapUI adding a signature to the outgoing request I took the following steps:
- added my keystore to the project:
- added a configuration step called ‘SignRequest’ to the project as Outgoing WS-Security Configuration:
- added a configuration step called ‘verifySignature’ to the project as Incoming WS-Security Configuration:
- configured the SOAP request with which the OWSM is tested:
Now with all this in place I sent the request and received the following response:
1 2 3 4 5 6 7 8 9 | <soap-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <soap-ENV:Body> <soap-ENV:Fault> <faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">p:Client.GenericFault</faultcode> <faultstring>WS-Security process failure:null</faultstring> <detail/> </soap-ENV:Fault> </soap-ENV:Body> </soap-ENV:Envelope> |
It took some time before I realized the error was not my configuration of SoapUI. In the log file of OWSM I found this stacktrace:
2009-01-17 20:23:03,452 WARNING [HTTPThreadGroup-8] wssecurity.SecurityBaseStep – Failure while applying XML Security
java.lang.NullPointerException
at oracle.security.xmlsec.util.XMLNode.removeChild(Unknown Source)
at com.cfluent.policysteps.security.wssecurity.OSDTWSSecurity.decryptVerify(OSDTWSSecurity.java:538)
at com.cfluent.policysteps.security.wssecurity.VerifyStep.performXmlSecurity(VerifyStep.java:147)
at com.cfluent.policysteps.security.wssecurity.SecurityBaseStep.execute(SecurityBaseStep.java:238)
at com.cfluent.pipelineengine.container.DefaultPipeline.executeStep(DefaultPipeline.java:124)
at com.cfluent.pipelineengine.container.DefaultPipeline.execute(DefaultPipeline.java:97)
at com.cfluent.pipelineengine.container.DefaultPolicy$DeferredPipeline.execute(DefaultPolicy.java:63)
at com.cfluent.pipelineengine.container.DefaultPolicy$DeferredPipeline.access$300(DefaultPolicy.java:18)
at com.cfluent.pipelineengine.container.DefaultPolicy.execute(DefaultPolicy.java:126)
at com.cfluent.pipelineengine.container.PipelineContainer.execute(PipelineContainer.java:114)
at com.cfluent.agent.Agent.intercept(Agent.java:123)
at com.cfluent.agent.AgentRuntime.intercept(AgentRuntime.java:200)
at com.cfluent.pipelineengine.util.PolicyInvoker.execute(PolicyInvoker.java:30)
at com.cfluent.pipelineengine.util.InvokerChain.execute(InvokerChain.java:30)
at com.cfluent.gateway.Invoker.execute(Invoker.java:118)
at com.cfluent.gateway.listener.ProtocolListener$ListenerTask.run(ProtocolListener.java:272)
at com.cfluent.gateway.listener.ProtocolListener.invoke(ProtocolListener.java:110)
at com.cfluent.gateway.listener.GatewayRuntime.invoke(GatewayRuntime.java:32)
at com.cfluent.gateway.listener.http.HttpListener.invoke(HttpListener.java:30)
at com.cfluent.gateway.listener.http.ServicesServlet.handlePost(ServicesServlet.java:34)
at com.cfluent.common.servlet.BaseServlet.doPost(BaseServlet.java:264)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:711)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:368)
at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:866)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:448)
at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:216)
at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:117)
at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:110)
at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:239)
at oracle.oc4j.network.ServerSocketAcceptHandler.access$700(ServerSocketAcceptHandler.java:34)
at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:880)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)
Now this appears to be a bug (5897046) in OWSM as discussed here. Unfortunately I do not have access to MetaLink at the moment, so I cannot check for solutions or patches. The workaround I did was to skip the deletion of the signature in the incoming request:

Now when I send the request I get the response as expected:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | <soap:Envelope soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <soap:Header> <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="_b5MY1ev1b2sj4s0nZL2VDg22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIICBDCCAW0CBElt0WUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCTkwxETAPBgNVBAoMCHBhbG1hLWl0MRIwEAYDVQQLDAlkZXZlbG9wZXIxEzARBgNVBAMMCnBhc2NhbGFsbWEwHhcNMDkwMTE0MTE0OTU3WhcNMDkwNzEzMTE0OTU3WjBJMQswCQYDVQQGEwJOTDERMA8GA1UECgwIcGFsbWEtaXQxEjAQBgNVBAsMCWRldmVsb3BlcjETMBEGA1UEAwwKcGFzY2FsYWxtYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApSBk3VobSFPMBuzkWpHvVsQLxWcICzOXWuhescOPqgvkQRfBl6g99v/O+73l0eJjrS/ayUf9fNs/VpUWrgHJ2AMD2/tRKrjfOV9YpG9HcupGB74ygpJ4lDy9VY6KxDDnNF0G6q1oJEZWhHkfupTZIZh70DzRVXqrzf6WqXOzd7MCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAGJAPB24oqfBSlUXXBg/krsKKKPKgpxKV5mpoSf+G9WVjIgK1lplURht2Wyecze91MKhQONMqecHqyIorzXmnO0DWa+ND7exDjcGw+tsagVrxIr1FG85QzJqic+l/uX2+8c5a5m85+o0qPLQeKAwc8DWuANJXIh7/Fy76H7CAMvg==</wsse:BinarySecurityToken> <dsig:Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <dsig:Reference URI="#519sSPHD1xaC8TcH23RKyA22"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue>lzj1qOFAUqEnuIqM2VGOfLDJ1x8=</dsig:DigestValue> </dsig:Reference> <dsig:Reference URI="#42uhaWCT0QoDrDGlwKsyZA22"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue>8qR3lN2UDPj2EknUuxaf5Xf+8Ic=</dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> <dsig:SignatureValue>g9S4GajLoXFtNkLJHRDponTv3ubZe432onBI0xfqHQ1zqtt2lalDwnyxbitBjbLaBcu94Fr0FeL7vst50e6KoujrAwt3lCT3sCsKBnvTFZKRKicKf6AdqAkq+d2PyIr0w2gpGJD5ejot8HaYUhJyXI/ogPiYxUmHqXkJVGcZzQ0=</dsig:SignatureValue> <dsig:KeyInfo> <wsse:SecurityTokenReference wsu:Id="_Gn6xvVFEyg5rUp3hrpAfYg22" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Reference URI="#_b5MY1ev1b2sj4s0nZL2VDg22"/> </wsse:SecurityTokenReference> </dsig:KeyInfo> </dsig:Signature> <wsu:Timestamp wsu:Id="42uhaWCT0QoDrDGlwKsyZA22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsu:Created>2009-01-19T10:09:33Z</wsu:Created> </wsu:Timestamp> </wsse:Security> </soap:Header> <soap:Body wsu:Id="519sSPHD1xaC8TcH23RKyA22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <n:getTimeResponse xmlns:n="urn:Test:GetTime"> <result xsi:type="xsd:string">11:09 AM</result> </n:getTimeResponse> </soap:Body> </soap:Envelope> |
Pingback: Review Oracle WSM: Securing Your Web Services | Redstream Blog
Pingback: Review Oracle WSM: Securing Your Web Services | Redstream Blog