Friday, July 29, 2011

How to test secure web services with soapUI - part #2


In  a previous article I described how to specify signature and encryption for outgoing Secured Web Services request.

1. SAML

In this second article I will talk about SAML and incoming Secure Web Service responses.

If you are using SAML 1.X then you just need to add a SAML 1.X assertion in the corresponding window.
You may have to add a timestamp as follow:











































In this example, we specify 10,000 milliseconds (10 seconds) for the life time of the Timestamp:











































SAML 1.X assertions are copied and pasted in the SAML tab:








Of course, if you combine signature and encryption with SAML 1.X. You can those to the configuration tabs as well.

For SAML 2.0, the only option you have for this version of soapUI is to add it manually to the WSSE section of your SOAP request:











































2. Incoming Secure Web Service 
Responses


Setting up incoming secure Web services responses encrypted and/or signed is easier than for outgoing request:

1) Make sure that you have Keystores / Certificates tab set - You probably have done that earlier as described in part #1 of this article.
You verify the signature with public key contained in the server's sender certificate/store and your private key to decrypt what the other server sends you.

















2) Create an incoming WSS configuration (e.g. my_config_from_server_A) that will decrypt the incoming SOAP requests coming from server A:











































You specify that you want to use your keystore to decrypt the message and the server's certificate/store to verify the signature of server A
(theses should appear in the drop box for each field):



























3) Last, you want to specify that you are using the incoming configuration for each request:



















Enjoy!




1 comment:

nivedita dige said...

I am struggling to import and assign a secret key required by 'http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd#hmac-sha1' algorithm.

I am generating a secret key using keytool comment -

keytool -genseckey -sigalg hmacsha1 -keysize 56 -alias hmac1 -storetype jceks -keystore H:\keys\clientk.jceks

and then import using preferences but I see the following error in log

javax.crypto.spec.SecretKeySpec cannot be cast to java.security.PrivateKey