I have a requirement to test the WS-Security of a web service running on WebLogic with a UserNameToken. The goal is assertaining if the service is setup properly and prevents any request without the correct UserNameToken. The secenario I see is something like a cactus scenario where I lookup the web service within the JNDI and pass a SOAP Message to the service. This would require me to develop a correct SOAP message. Some of the tools I am using are: Weblogic 8.1 with sp4 and WSAD 5.1.1. I am not allowed to change the configuration of the server by adding AXIS.
Can someone guide me in the right direction? I've spent most of a day surfing and looking at the available literature. However, most literature does not discuss security of web services as it is such a new topic with so many standards. My understanding is one of the best comprehesive book on web services "J2EE Web Services" by Richard Monson-Haefel does not even address security.
Russell, even though you may not be able to use Axis on the server, you can use its wsdl2java tool to create a client for test purposes (if you have a WSDL description of it, of course). Once you have a client, you can use tcpmon (a little GUI app that comes with Axis) to monitor what the client sends, and what the server responds with. It's a very handy tool, and I have used it for exactly that - testing what WS-Security does to the SOAP messages. To set up security on the client side you can use the WSS4J package (see the Web Services FAQ linked in my signature for a few relevant links). It's not rocket science to set it up. Or maybe WebLogic or WebSphere have their own libraries that you can use.
Thank you very much for your comments and suggestions. Excuse me if my question elementary, but I am so new to web services. You gave me some light at the end of the learning tunnel that I question my own ubderstanding. I know WSAD 5.1.1. is using AXIS for it's creation of a test client. Using WSAD, what you get are jsp's, a proxy server, and some more java code for running the service. Is this what you are referring to or does the AXIS implementation (using the wsdl) give you strickly a java client without jsps? Again, all I want to do is pass in a SOAP Message I've created and let the system handle the SOAP Message from there.
Thank you for the links and information again. I will definately finish reading them tonight preparing myself for the task at hand.
Joined: Mar 22, 2005
The wsdl2java creates only Java classes, including all the stubs and service locators needed to access a web service remotely. After that, one can slap a client around it with 10 lines of code or so. I don't think the simplest possible SOAP-over-Java client will work with WSS4J, because WSS4J is based on JAX-RPC handlers. But JAX-RPC is just what wsdl2java generates, so if you get that to run you're good to go.