Testing Oracle WSM's web service signing and verifying with SoapUI

Posted on 20 January 2009 by Pascal Alma

This will be the last ‘hands-on’ article about testing Oracle WSM setup with SoapUI. I have posted about two other examples here and here. In this example Oracle WSM is configured to verify the signature of the incoming SOAP message (request) and to add a digital signature to the outgoing message (response). How to arrange this in Oracle WSM is described in the book so I won’t describe that here. What I will show is how to setup SoapUI to test the OWSM setup.
The WSDL for which I created a new project in SoapUI is:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

<definitions name="TimeService" targetNamespace="urn:Test:TimeService" xmlns:tns="urn:Test:TimeService" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns="http://schemas.xmlsoap.org/wsdl/">
   <message name="getTime0SoapIn">
      <part name="format" type="xsd:string"/>
   </message>
   <message name="getTime0SoapOut">
      <part name="Result" type="xsd:string"/>
   </message>
   <portType name="TimeServiceSoap">
      <operation name="getTime" parameterOrder="format">
         <input name="getTime0SoapIn" message="tns:getTime0SoapIn"/>
         <output name="getTime0SoapOut" message="tns:getTime0SoapOut"/>
      </operation>
   </portType>
   <binding name="TimeServiceSoap" type="tns:TimeServiceSoap">
      <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
      <operation name="getTime">
         <soap:operation soapAction="getTime" style="rpc"/>
         <input name="getTime0SoapIn">
            <soap:body use="encoded" namespace="urn:Test:GetTime" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
         </input>
         <output name="getTime0SoapOut">
            <soap:body use="encoded" namespace="urn:Test:GetTime" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
         </output>
      </operation>
   </binding>
   <service name="TimeService">
      <port name="TimeServiceSoap" binding="tns:TimeServiceSoap">
         <soap:address location="http://localhost:3115/gateway/services/SID0003004"/>
      </port>
   </service>
</definitions>

The configuration for the verification of the SOAP request is configured in Oracle WSM like this:

To have SoapUI adding a signature to the outgoing request I took the following steps:

  • added my keystore to the project:

  • added a configuration step called ‘SignRequest’ to the project as Outgoing WS-Security Configuration:
  • added a configuration step called ‘verifySignature’ to the project as Incoming WS-Security Configuration:
  • configured the SOAP request with which the OWSM is tested:

Now with all this in place I sent the request and received the following response:

1
2
3
4
5
6
7
8
9

<soap-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <soap-ENV:Body>
      <soap-ENV:Fault>
         <faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">p:Client.GenericFault</faultcode>
         <faultstring>WS-Security process failure:null</faultstring>
         <detail/>
      </soap-ENV:Fault>
   </soap-ENV:Body>
</soap-ENV:Envelope>

It took some time before I realized the error was not my configuration of SoapUI. In the log file of OWSM I found this stacktrace:

2009-01-17 20:23:03,452 WARNING [HTTPThreadGroup-8] wssecurity.SecurityBaseStep – Failure while applying XML Security
java.lang.NullPointerException
at oracle.security.xmlsec.util.XMLNode.removeChild(Unknown Source)
at com.cfluent.policysteps.security.wssecurity.OSDTWSSecurity.decryptVerify(OSDTWSSecurity.java:538)
at com.cfluent.policysteps.security.wssecurity.VerifyStep.performXmlSecurity(VerifyStep.java:147)
at com.cfluent.policysteps.security.wssecurity.SecurityBaseStep.execute(SecurityBaseStep.java:238)
at com.cfluent.pipelineengine.container.DefaultPipeline.executeStep(DefaultPipeline.java:124)
at com.cfluent.pipelineengine.container.DefaultPipeline.execute(DefaultPipeline.java:97)
at com.cfluent.pipelineengine.container.DefaultPolicy$DeferredPipeline.execute(DefaultPolicy.java:63)
at com.cfluent.pipelineengine.container.DefaultPolicy$DeferredPipeline.access$300(DefaultPolicy.java:18)
at com.cfluent.pipelineengine.container.DefaultPolicy.execute(DefaultPolicy.java:126)
at com.cfluent.pipelineengine.container.PipelineContainer.execute(PipelineContainer.java:114)
at com.cfluent.agent.Agent.intercept(Agent.java:123)
at com.cfluent.agent.AgentRuntime.intercept(AgentRuntime.java:200)
at com.cfluent.pipelineengine.util.PolicyInvoker.execute(PolicyInvoker.java:30)
at com.cfluent.pipelineengine.util.InvokerChain.execute(InvokerChain.java:30)
at com.cfluent.gateway.Invoker.execute(Invoker.java:118)
at com.cfluent.gateway.listener.ProtocolListener$ListenerTask.run(ProtocolListener.java:272)
at com.cfluent.gateway.listener.ProtocolListener.invoke(ProtocolListener.java:110)
at com.cfluent.gateway.listener.GatewayRuntime.invoke(GatewayRuntime.java:32)
at com.cfluent.gateway.listener.http.HttpListener.invoke(HttpListener.java:30)
at com.cfluent.gateway.listener.http.ServicesServlet.handlePost(ServicesServlet.java:34)
at com.cfluent.common.servlet.BaseServlet.doPost(BaseServlet.java:264)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:711)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:368)
at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:866)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:448)
at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:216)
at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:117)
at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:110)
at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:239)
at oracle.oc4j.network.ServerSocketAcceptHandler.access$700(ServerSocketAcceptHandler.java:34)
at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:880)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)

Now this appears to be a bug (5897046) in OWSM as discussed here. Unfortunately I do not have access to MetaLink at the moment, so I cannot check for solutions or patches. The workaround I did was to skip the deletion of the signature in the incoming request:

Now when I send the request I get the response as expected:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

<soap:Envelope soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <soap:Header>
      <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="_b5MY1ev1b2sj4s0nZL2VDg22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIICBDCCAW0CBElt0WUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCTkwxETAPBgNVBAoMCHBhbG1hLWl0MRIwEAYDVQQLDAlkZXZlbG9wZXIxEzARBgNVBAMMCnBhc2NhbGFsbWEwHhcNMDkwMTE0MTE0OTU3WhcNMDkwNzEzMTE0OTU3WjBJMQswCQYDVQQGEwJOTDERMA8GA1UECgwIcGFsbWEtaXQxEjAQBgNVBAsMCWRldmVsb3BlcjETMBEGA1UEAwwKcGFzY2FsYWxtYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApSBk3VobSFPMBuzkWpHvVsQLxWcICzOXWuhescOPqgvkQRfBl6g99v/O+73l0eJjrS/ayUf9fNs/VpUWrgHJ2AMD2/tRKrjfOV9YpG9HcupGB74ygpJ4lDy9VY6KxDDnNF0G6q1oJEZWhHkfupTZIZh70DzRVXqrzf6WqXOzd7MCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAGJAPB24oqfBSlUXXBg/krsKKKPKgpxKV5mpoSf+G9WVjIgK1lplURht2Wyecze91MKhQONMqecHqyIorzXmnO0DWa+ND7exDjcGw+tsagVrxIr1FG85QzJqic+l/uX2+8c5a5m85+o0qPLQeKAwc8DWuANJXIh7/Fy76H7CAMvg==</wsse:BinarySecurityToken>
         <dsig:Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <dsig:SignedInfo>
               <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
               <dsig:Reference URI="#519sSPHD1xaC8TcH23RKyA22">
                  <dsig:Transforms>
                     <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </dsig:Transforms>
                  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <dsig:DigestValue>lzj1qOFAUqEnuIqM2VGOfLDJ1x8=</dsig:DigestValue>
               </dsig:Reference>
               <dsig:Reference URI="#42uhaWCT0QoDrDGlwKsyZA22">
                  <dsig:Transforms>
                     <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </dsig:Transforms>
                  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <dsig:DigestValue>8qR3lN2UDPj2EknUuxaf5Xf+8Ic=</dsig:DigestValue>
               </dsig:Reference>
            </dsig:SignedInfo>
         <dsig:SignatureValue>g9S4GajLoXFtNkLJHRDponTv3ubZe432onBI0xfqHQ1zqtt2lalDwnyxbitBjbLaBcu94Fr0FeL7vst50e6KoujrAwt3lCT3sCsKBnvTFZKRKicKf6AdqAkq+d2PyIr0w2gpGJD5ejot8HaYUhJyXI/ogPiYxUmHqXkJVGcZzQ0=</dsig:SignatureValue>
            <dsig:KeyInfo>
               <wsse:SecurityTokenReference wsu:Id="_Gn6xvVFEyg5rUp3hrpAfYg22" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                  <wsse:Reference URI="#_b5MY1ev1b2sj4s0nZL2VDg22"/>
               </wsse:SecurityTokenReference>
            </dsig:KeyInfo>
         </dsig:Signature>
         <wsu:Timestamp wsu:Id="42uhaWCT0QoDrDGlwKsyZA22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsu:Created>2009-01-19T10:09:33Z</wsu:Created>
         </wsu:Timestamp>
      </wsse:Security>
   </soap:Header>
   <soap:Body wsu:Id="519sSPHD1xaC8TcH23RKyA22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <n:getTimeResponse xmlns:n="urn:Test:GetTime">
         <result xsi:type="xsd:string">11:09 AM</result>
      </n:getTimeResponse>
   </soap:Body>
</soap:Envelope>
tags: , ,

About Pascal Alma

Pascal started as an Oracle Developer in 1997 and developed numerous applications with Oracle Designer/Developer and PL/SQL. Since 2001 Pascal becomes more and more active with the development of software at the Java/J2EE platform. Nowadays Pascal is a senior JEE Developer/ Architect and has a lot of experience with several open source initiatives/ frameworks especially within the Enterprise Integration area. Besides these technical skills Pascal is a big Scrum enthusiastic.

2 Responses to Testing Oracle WSM's web service signing and verifying with SoapUI

  1. Pingback: Review Oracle WSM: Securing Your Web Services | Redstream Blog

  2. Pingback: Review Oracle WSM: Securing Your Web Services | Redstream Blog

Meest gelezen