Tuesday, October 9, 2018

Secure Your SOAP Web Service Using username Token Security

Some developers asked me how can they add security to their web services, so in this post I will show you how you can develop SOAP web service and secure the web service using username token security.

I use JDeveloper 11g (11.1.1.7.0) and I use SOAPUI to test my web service.

First Step: Develop SOAP Web service


  • Open JDeveloper and create new Application

  • Create a class which will be your web service (e.g MyWebService)



  • Write your web service. In this example I will create simple web service with one function call sayHello, this function will receive as a parameter and return Hello, , as shown:


  • To convert the java class to web service, right click on the class --> Create web service


  • Follow these screenshots then press Finish:








  • Your web service will looks like this:

  • To add the security, in WEB-INF create folder call "policies" and inside this folder create an xml file call "usernametoken.xml".
  • Inside this usernametoken.xml write as shown (you can download the Sample Application and take this file)


  • In your webservice, point to this usernametoken.xml file by writing "@Policies({ @Policy(uri = "policy:usernametoken.xml") })" under "@WebService" as shown:

  • Save all and run your webservice.

  • After your webservice is running, just open the browser and run web service WSDL, the usernametoken secuirty should appear in the wsdl as shown:




Second Step: Test SOAP Web service using SoapUI

  • Open SoapUI and create new SOAP Project.

  • Enter any project name and enter your web service WSDL.


  • Open the Webservice request and try to enter any value in the parameter and run to test webserivce. You will get security error message as shown:


  • You get error message because we didn't enter username/password to invoke the webservice. Let us first add the user which we will use to test WS. In weblogic server which the webservice is running, you can open weblogic console --> Secuirty Realms --> myrealm --> Users and Groups



  • You can add any user and set the password (I will use weblogic user to test the WS)




  • Back to SoapUI, and we should set username and password to invoke WS. Right click on the Soap Project --> Show Project View


  • In WS-Secuirty Configurations --> Outgoing WS-Secuirty Configurations --> press on Add button


  • Enter any name

  • In the left bottom section add new WSS entry

  • From drop down list select type "Username"

  • Enter Username and Password (the user which you defined in weblogic) and select PasswordText as shown


  • In the soap request close it and reopen it again. In the bottom of the request select Auth and select Add New Authentication

  • Select Type --> Basic

  • Select the created Outgoing WSS  as shown


  • Now invoke the web service again, you will find the result is generated and the webservice is called successfully.


You can download the webservice sample application from this here



1 comment: