I have a requirement to test the WS-Security of a web service running on WebLogic with a UserNameToken. The goal is assertaining if the service is setup properly and prevents any request without the correct UserNameToken. The secenario I see is something like a cactus scenario where I lookup the web service within the JNDI and pass a SOAP Message to the service. This would require me to develop a correct SOAP message. Some of the tools I am using are: Weblogic 8.1 with sp4 and WSAD 5.1.1. I am not allowed to change the configuration of the server by adding AXIS.
Can someone guide me in the right direction? I've spent most of a day surfing and looking at the available literature. However, most literature does not discuss security of web services as it is such a new topic with so many standards. My understanding is one of the best comprehesive book on web services "J2EE Web Services" by Richard Monson-Haefel does not even address security.
Russell, even though you may not be able to use Axis on the server, you can use its wsdl2java tool to create a client for test purposes (if you have a WSDL description of it, of course). Once you have a client, you can use tcpmon (a little GUI app that comes with Axis) to monitor what the client sends, and what the server responds with. It's a very handy tool, and I have used it for exactly that - testing what WS-Security does to the SOAP messages. To set up security on the client side you can use the WSS4J package (see the Web Services FAQ linked in my signature for a few relevant links). It's not rocket science to set it up. Or maybe WebLogic or WebSphere have their own libraries that you can use.
Joined: Apr 25, 2005
Thank you very much for your comments and suggestions. Excuse me if my question elementary, but I am so new to web services. You gave me some light at the end of the learning tunnel that I question my own ubderstanding. I know WSAD 5.1.1. is using AXIS for it's creation of a test client. Using WSAD, what you get are jsp's, a proxy server, and some more java code for running the service. Is this what you are referring to or does the AXIS implementation (using the wsdl) give you strickly a java client without jsps? Again, all I want to do is pass in a SOAP Message I've created and let the system handle the SOAP Message from there.
Thank you for the links and information again. I will definately finish reading them tonight preparing myself for the task at hand.
Joined: Mar 22, 2005
The wsdl2java creates only Java classes, including all the stubs and service locators needed to access a web service remotely. After that, one can slap a client around it with 10 lines of code or so. I don't think the simplest possible SOAP-over-Java client will work with WSS4J, because WSS4J is based on JAX-RPC handlers. But JAX-RPC is just what wsdl2java generates, so if you get that to run you're good to go.