redstream » Oracle WSM

Review Oracle WSM: Securing Your Web Services

Pascal Alma — Sat, 24 Jan 2009 13:51:25 +0000

As you might have noticed by my last posts I am currently investigating the posiblities of Oracle’s Web Service Manager. I do this investigation by reading the Packtpub book ‘Oracle Web Services Manager – Securing Your Web Services‘, written by Sitaraman Lakshminarayanan. As the back-cover says this book mainly targets developers and architects with expertise in developing and deploying web services. And I want to add that it is most interesting if you are going to use or are currently using Oracle WSM, of course.
One thing I do not really understand is that the author describes how to use .Net clients to test the setup (besides the test facility in OWSM itself). Hasn’t Oracle been busy for almost 10 years now to become a important player in the J2EE market. So why not some examples how to test the setup with Java clients? But well, I have described how to test the examples with SoapUI, so I will consider this issue as solved ;-)
Besides this .Net thing there are some other (small) issues in the example descriptions:

In chapter 4 you will start with using Oracle WSM by registering your first service in it. But you can only do that after you have registered the gateway first (I would suggest to start with the Oracle WSM Starters guide of Oracle first).
The description of testing the setup in chapter 6 is not correct. The test as described sends an unsigned request and checks if the response is signed. But in the configuration of the web service in this chapter the incoming request must be signed, so the test will always fail. The quick workaround is of course to disable the checking of incoming request. But a nicer solution would be to send in a signed request. To do this I used SoapUI as described here.

One thing I miss in the book is (high level) information about keystores and how to create these, but this might be caused by the fact that I am not using .Net so I don’t have the default keystore they use in the book. But with this addition you make the examples better accessible for others like me who don’t have .Net available.
Overall it is a nice books with lots of screenshots showing you how to deal with Oracle WSM and it gives you a good insight in how you can secure your web services.

Testing Oracle WSM's web service signing and verifying with SoapUI

Pascal Alma — Tue, 20 Jan 2009 11:03:07 +0000

This will be the last ‘hands-on’ article about testing Oracle WSM setup with SoapUI. I have posted about two other examples here and here. In this example Oracle WSM is configured to verify the signature of the incoming SOAP message (request) and to add a digital signature to the outgoing message (response). How to arrange this in Oracle WSM is described in the book so I won’t describe that here. What I will show is how to setup SoapUI to test the OWSM setup.
The WSDL for which I created a new project in SoapUI is:

 name="TimeService" targetNamespace="urn:Test:TimeService" xmlns:tns="urn:Test:TimeService" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns="http://schemas.xmlsoap.org/wsdl/">
    name="getTime0SoapIn">
       name="format" type="xsd:string"/>
   >
    name="getTime0SoapOut">
       name="Result" type="xsd:string"/>
   >
    name="TimeServiceSoap">
       name="getTime" parameterOrder="format">
          name="getTime0SoapIn" message="tns:getTime0SoapIn"/>
          name="getTime0SoapOut" message="tns:getTime0SoapOut"/>
      >
   >
    name="TimeServiceSoap" type="tns:TimeServiceSoap">
       style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
       name="getTime">
          soapAction="getTime" style="rpc"/>
          name="getTime0SoapIn">
             use="encoded" namespace="urn:Test:GetTime" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
         >
          name="getTime0SoapOut">
             use="encoded" namespace="urn:Test:GetTime" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
         >
      >
   >
    name="TimeService">
       name="TimeServiceSoap" binding="tns:TimeServiceSoap">
          location="http://localhost:3115/gateway/services/SID0003004"/>
      >
   >
>

The configuration for the verification of the SOAP request is configured in Oracle WSM like this:

To have SoapUI adding a signature to the outgoing request I took the following steps:

added my keystore to the project:
added a configuration step called ‘SignRequest’ to the project as Outgoing WS-Security Configuration:
added a configuration step called ‘verifySignature’ to the project as Incoming WS-Security Configuration:
configured the SOAP request with which the OWSM is tested:

Now with all this in place I sent the request and received the following response:

 xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   >
      >
          xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">p:Client.GenericFault>
         >WS-Security process failure:null>
         />
      >
   >
>

It took some time before I realized the error was not my configuration of SoapUI. In the log file of OWSM I found this stacktrace:

2009-01-17 20:23:03,452 WARNING [HTTPThreadGroup-8] wssecurity.SecurityBaseStep – Failure while applying XML Security
java.lang.NullPointerException
at oracle.security.xmlsec.util.XMLNode.removeChild(Unknown Source)
at com.cfluent.policysteps.security.wssecurity.OSDTWSSecurity.decryptVerify(OSDTWSSecurity.java:538)
at com.cfluent.policysteps.security.wssecurity.VerifyStep.performXmlSecurity(VerifyStep.java:147)
at com.cfluent.policysteps.security.wssecurity.SecurityBaseStep.execute(SecurityBaseStep.java:238)
at com.cfluent.pipelineengine.container.DefaultPipeline.executeStep(DefaultPipeline.java:124)
at com.cfluent.pipelineengine.container.DefaultPipeline.execute(DefaultPipeline.java:97)
at com.cfluent.pipelineengine.container.DefaultPolicy$DeferredPipeline.execute(DefaultPolicy.java:63)
at com.cfluent.pipelineengine.container.DefaultPolicy$DeferredPipeline.access$300(DefaultPolicy.java:18)
at com.cfluent.pipelineengine.container.DefaultPolicy.execute(DefaultPolicy.java:126)
at com.cfluent.pipelineengine.container.PipelineContainer.execute(PipelineContainer.java:114)
at com.cfluent.agent.Agent.intercept(Agent.java:123)
at com.cfluent.agent.AgentRuntime.intercept(AgentRuntime.java:200)
at com.cfluent.pipelineengine.util.PolicyInvoker.execute(PolicyInvoker.java:30)
at com.cfluent.pipelineengine.util.InvokerChain.execute(InvokerChain.java:30)
at com.cfluent.gateway.Invoker.execute(Invoker.java:118)
at com.cfluent.gateway.listener.ProtocolListener$ListenerTask.run(ProtocolListener.java:272)
at com.cfluent.gateway.listener.ProtocolListener.invoke(ProtocolListener.java:110)
at com.cfluent.gateway.listener.GatewayRuntime.invoke(GatewayRuntime.java:32)
at com.cfluent.gateway.listener.http.HttpListener.invoke(HttpListener.java:30)
at com.cfluent.gateway.listener.http.ServicesServlet.handlePost(ServicesServlet.java:34)
at com.cfluent.common.servlet.BaseServlet.doPost(BaseServlet.java:264)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:711)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:368)
at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:866)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:448)
at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:216)
at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:117)
at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:110)
at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:239)
at oracle.oc4j.network.ServerSocketAcceptHandler.access$700(ServerSocketAcceptHandler.java:34)
at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:880)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)

Now this appears to be a bug (5897046) in OWSM as discussed here. Unfortunately I do not have access to MetaLink at the moment, so I cannot check for solutions or patches. The workaround I did was to skip the deletion of the signature in the incoming request:

Now when I send the request I get the response as expected:

 soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   >
       soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="_b5MY1ev1b2sj4s0nZL2VDg22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIICBDCCAW0CBElt0WUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCTkwxETAPBgNVBAoMCHBhbG1hLWl0MRIwEAYDVQQLDAlkZXZlbG9wZXIxEzARBgNVBAMMCnBhc2NhbGFsbWEwHhcNMDkwMTE0MTE0OTU3WhcNMDkwNzEzMTE0OTU3WjBJMQswCQYDVQQGEwJOTDERMA8GA1UECgwIcGFsbWEtaXQxEjAQBgNVBAsMCWRldmVsb3BlcjETMBEGA1UEAwwKcGFzY2FsYWxtYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApSBk3VobSFPMBuzkWpHvVsQLxWcICzOXWuhescOPqgvkQRfBl6g99v/O+73l0eJjrS/ayUf9fNs/VpUWrgHJ2AMD2/tRKrjfOV9YpG9HcupGB74ygpJ4lDy9VY6KxDDnNF0G6q1oJEZWhHkfupTZIZh70DzRVXqrzf6WqXOzd7MCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAGJAPB24oqfBSlUXXBg/krsKKKPKgpxKV5mpoSf+G9WVjIgK1lplURht2Wyecze91MKhQONMqecHqyIorzXmnO0DWa+ND7exDjcGw+tsagVrxIr1FG85QzJqic+l/uX2+8c5a5m85+o0qPLQeKAwc8DWuANJXIh7/Fy76H7CAMvg==>
          xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            >
                Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                URI="#519sSPHD1xaC8TcH23RKyA22">
                  >
                      Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  >
                   Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  >lzj1qOFAUqEnuIqM2VGOfLDJ1x8=>
               >
                URI="#42uhaWCT0QoDrDGlwKsyZA22">
                  >
                      Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  >
                   Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  >8qR3lN2UDPj2EknUuxaf5Xf+8Ic=>
               >
            >
         >g9S4GajLoXFtNkLJHRDponTv3ubZe432onBI0xfqHQ1zqtt2lalDwnyxbitBjbLaBcu94Fr0FeL7vst50e6KoujrAwt3lCT3sCsKBnvTFZKRKicKf6AdqAkq+d2PyIr0w2gpGJD5ejot8HaYUhJyXI/ogPiYxUmHqXkJVGcZzQ0=>
            >
                wsu:Id="_Gn6xvVFEyg5rUp3hrpAfYg22" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                   URI="#_b5MY1ev1b2sj4s0nZL2VDg22"/>
               >
            >
         >
          wsu:Id="42uhaWCT0QoDrDGlwKsyZA22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            >2009-01-19T10:09:33Z>
         >
      >
   >
    wsu:Id="519sSPHD1xaC8TcH23RKyA22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
       xmlns:n="urn:Test:GetTime">
          xsi:type="xsd:string">11:09 AM>
      >
   >
>

Testing Oracle WSM's Encrypting and Decrypting with SoapUI

Pascal Alma — Fri, 16 Jan 2009 08:47:23 +0000

As said before I am currently going through the book ‘Oracle Web Service Manager‘. In chapter 5 of this book an example is given how to configure OWSM to encrypt outgoing and decrypt incoming soap messages for a web service. To test this setup a dotNet client is created. In this post I will show you how you can test the setup by using SoapUI instead.
The first step (assuming that SoapUI is already installed) is to create a keystore on the client machine. This keystore must also be used in the OWSM configuration in the example. To create the keystore and necessary key-pair I use Portecle. I created a new keystore (PKCS based) and added a key for ‘pascalalma’ to it. Here is the screenshot with all the necessary info:

In SoapUI I have created a new project based on the WSDL in the example. At the project level I enter the WS-Security parameters and actions that must be performed. Since the gateway expects the soap message to be encoded I have to encode the outgoing message in SoapUI and decode the incoming response message.
Here is the security configuration at project level. First select the keystore to be used by SoapUI:

Then define the outgoing encryption action:

And the last one, define the incoming decryption action:

Now everything at project level is set. The next step is to tell the request it should use these settings. This is a step that took some time for me to discover. But when you click at the ‘Auth’ tab at the request window you can define the actions that must be executed by SoapUI for the request (and response) of the SOAP call. Here you can find the tab:

And here are the parameters set for the security:

Now, this should be it. Actually kind of straightforward…. But not in my case. I am using SoapUI2.5 and when I sended the request I go the following response back:

 xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   >
      >
          xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">p:Client.GenericFault>
         >WS-Security process failure:FAULT CODE: UnsupportedSecurityToken FAULT MESSAGE: An unsupported token was provided>
         />
      >
   >
>

After an extensive search I found out it was a version problem in the SOAP header. OWSM gateway expects an element ‘wsse:Reference’ with attribute
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
but SoapUI was sending the request with ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v1"
When I knew what caused the error the solution was quickly found here. I downloaded the older version of the WSS4J library (wss4j-1.5.3.jar) and put that in the SoapUI/lib/ directory. I also modified the SoapUI/bin/soapui.bat file so the correct version is loaded by SoapUI. And this time the call worked like a charm. The response I got back now was (decrypted by SoapUI of course):

 soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   >
       soap:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="asKWwEekHdcXDlFgYL5yP3w22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIICBDCCAW0CBElt0WUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCTkwxETAPBgNVBAoMCHBhbG1hLWl0MRIwEAYDVQQLDAlkZXZlbG9wZXIxEzARBgNVBAMMCnBhc2NhbGFsbWEwHhcNMDkwMTE0MTE0OTU3WhcNMDkwNzEzMTE0OTU3WjBJMQswCQYDVQQGEwJOTDERMA8GA1UECgwIcGFsbWEtaXQxEjAQBgNVBAsMCWRldmVsb3BlcjETMBEGA1UEAwwKcGFzY2FsYWxtYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApSBk3VobSFPMBuzkWpHvVsQLxWcICzOXWuhescOPqgvkQRfBl6g99v/O+73l0eJjrS/ayUf9fNs/VpUWrgHJ2AMD2/tRKrjfOV9YpG9HcupGB74ygpJ4lDy9VY6KxDDnNF0G6q1oJEZWhHkfupTZIZh70DzRVXqrzf6WqXOzd7MCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAGJAPB24oqfBSlUXXBg/krsKKKPKgpxKV5mpoSf+G9WVjIgK1lplURht2Wyecze91MKhQONMqecHqyIorzXmnO0DWa+ND7exDjcGw+tsagVrxIr1FG85QzJqic+l/uX2+8c5a5m85+o0qPLQeKAwc8DWuANJXIh7/Fy76H7CAMvg==>
          xmlns="http://www.w3.org/2001/04/xmlenc#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
             Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
             xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                   URI="#asKWwEekHdcXDlFgYL5yP3w22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
               >
            >
            >
               >aSM+UvvqfsS/2Damu9pgg2U1oea1O5CjYZ08pKOG0U8IKTJaRgWIDVfjXZI+Gq4Wmsbsz0oWc6wKYawH23clYedt/ScX1ZpEAAHhSEzV8e/+hl3/vZ8Iq7UfLz3DRAat0cn0B00qW8VI+2j94hdTMQJ1v+EjH+7eQpnq0i09UBg=>
            >
            >
                URI="#_o8iRaqZLI6bBw6wR009kLQ22"/>
            >
         >
      >
   >
   >
       xmlns:n="urn:Test:GetTime">
          xsi:type="xsd:string">12:23 PM>
      >
   >
>

Testing Oracle WSM's SOAP authentication with SoapUI

Pascal Alma — Thu, 15 Jan 2009 15:35:31 +0000

Last week I started to have a look at the product ‘Oracle Web Server Manager‘. I am reading a packtpub book about this product and am halfway now. I will post more about this book later but one thing I one to mention already is that there are several examples described which are tested by creating a web service client with .Net. I am not familiar with .Net (and do not have the intention to change that) so I used my favorite tool SoapUI as client to test the Oracle gateway.
The first example is created in chapter 4. In this example basic authentication is added to a web service. The book describes in detail how you do this with Oracle WSM. To test this setup I will use SoapUI. The first step is to create a project in SoapUI based on the web service’s WSDL. I accept the defaults so an example request is generated.
The WSDL of the web service looks like this:

 name="TimeService" targetNamespace="urn:Test:TimeService" xmlns:tns="urn:Test:TimeService" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns="http://schemas.xmlsoap.org/wsdl/">
    name="getTime0SoapIn">
       name="format" type="xsd:string"/>
   >
    name="getTime0SoapOut">
       name="Result" type="xsd:string"/>
   >
    name="TimeServiceSoap">
       name="getTime" parameterOrder="format">
          name="getTime0SoapIn" message="tns:getTime0SoapIn"/>
          name="getTime0SoapOut" message="tns:getTime0SoapOut"/>
      >
   >
    name="TimeServiceSoap" type="tns:TimeServiceSoap">
       style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
       name="getTime">
          soapAction="getTime" style="rpc"/>
          name="getTime0SoapIn">
             use="encoded" namespace="urn:Test:GetTime" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
         >
          name="getTime0SoapOut">
             use="encoded" namespace="urn:Test:GetTime" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
         >
      >
   >
    name="TimeService">
       name="TimeServiceSoap" binding="tns:TimeServiceSoap">
          location="http://localhost:3115/gateway/services/SID0003001"/>
      >
   >
>

If I don’t configure anything in SoapUI and just send the request I get the response:

 xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   >
      >
          xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">p:Client.AuthenticationFault>
         >Invalid username or password>
         />
      >
   >
>

which is logical, because I have to supply credentials. These credentials must be added to the SOAP call according to the WS-Security specs. Luckily this is done by SoapUI by default. Here is the configuration of the call in SoapUI:

The SOAP request that is send now looks like this (the raw xml):

 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:Test:GetTime" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   >
       soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          wsu:Id="UsernameToken-32950583" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            >palma>
             Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">alma23>
            >Ekgk+pK0FhRj8EnzWxFsKg==>
            >2009-01-15T08:37:08.005Z>
         >
      >
   >
   >
       soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
          xsi:type="xsd:string">?>
      >
   >
>

As you might notice a SOAP header is now added with the credentials information. The result now is:

 soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
   >
       xmlns:n="urn:Test:GetTime">
          xsi:type="xsd:string">09:37 AM>
      >
   >
>

So this works!

The next example in the book for which I use SoapUI is about encrypting and decrypting the message. This has some more configuration to setup so I will show this in a separate post.