How to use WS Security username and Password policy for Web Services in soapUI?

WS Security

WS-Security (Web Services Security, short WSS) is a flexible and feature-rich extension to SOAP to apply security to web services.While doing Web Services/ SOA Testing, one has to make sure that the services are secured enough. Proper authorization and authorization needs to be implemented for web sercvices. Lacking of this can provide access to data and non public information of an organization to outside world.
WS Security can be implemented by creating different security policies. In this post, let us see how can we test WS Security using username and password token of a web service using soapUI. There are two ways to attach the security header/ profile to the outgoing request via soapUI.

Configure WS Security

• Configure a WS-Security Profile on the soapUI Project level and attach to all outgoing test requests.

Double click on the project and navigate to the tab "WS-Security Configurations" and then to "Outgoing WS-Security Configurations". Click on the "+" sign and give a name to the security profile we are creating say "WSConfiguration1" Click on the "+" sign on the tab below the current section.Selcet "Username" from the WSS Entry drop down and click OK.Select the "Add Nonce" check box, this is to add a random number to the security header and will be used in conjection with the security encryption/decryption. Check "Add Created" check box and select the password type as well. Now you have a security profile setup for soapUI by name "WSConfiguration1" which can be used on an test requests. Double click on the test request and  select the newly created profile from the "Outgoing WSS" drop down from the "Aut" tab of a test request.

• Supply the Username and Password in the Test Request itself and apply it each time before invoking the request.

Double click on the test request from the test steps. Navigate to the tab "Aut" at the bottom of the request. Give the username, password and domain. Now go to the XML version of the request, right click there. Click on the tab "Add WSS Username Token. Select "Password Text" to send the password in plain text or select "Password Digest" to use an encrypted password. You might also right click and select "Add WS-Timestamp" to add a creation/ expiration time stamp to the security header.This will create an entry like the one below under the <Security> element for the request.

<wsu:Timestamp wsu:Id="Timestamp-2" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

    <wsu:Created>2011-10-19T18:20:37.540Z</wsu:Created>

    <wsu:Expires>2011-10-19T18:21:37.540Z</wsu:Expires>

 </wsu:Timestamp>

<wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

   <wsse:Username>username</wsse:Username>

   <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">pwd</wsse:Password>

   <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">M769jEEqYIUEDKP+dvH+ZA==</wsse:Nonce>

   <wsu:Created>2011-10-19T18:20:25.899Z</wsu:Created>

</wsse:UsernameToken>