This topic explains how SOAtest assists with runtime security policy validation by enabling execution of complex authentication, encryption, and access control test scenarios.

Sections include:


SOAtest includes several security tools and options that help you construct and execute complex authentication, encryption, and access control test scenarios. For example:

JCE Prerequisite

See JCE Prerequisite.


For a step-by-step demonstration of how to apply SOAtest for validating authentication, encryption, and access control, see WS-Security. This tutorial covers encryption/decryption, digital signature, and the addition of SOAP Headers. 

Related Topics

For more details on how to use SOAtest’s tools to support your specific authentication, encryption, and access control validation needs, see the following sections.

WS-Security Policy

SOA Quality Governance and Policy Enforcement
Adding Global Test Suite Properties

Custom Headers

Adding SOAP Headers
Adding SAML Headers
Adding Global Test Suite Properties


XML Encryption
XML Signer
XML Signature Verifier

General Security Settings (Authentication, Keystores, etc.) 

Security Settings
HTTP 1.0 1
HTTP 1.1
Adding Global Test Suite Properties

HTTPS and SSLConfiguring for Services Deployed Over HTTPS

Adding SAML Headers
SAML 1.1 Assertion Options
SAML 2.0 Assertion Options

Testing Oracle/BEA WebLogic Services with WS-Security

If your services are configured with WS-Security XML security policies, then you can configure SOAtest with the necessary settings in order to interoperate with WebLogic. 

To help you configure these settings, a sample SOAtest project WebLogicWSS.tst is included under <INSTALL>/examples/tests. WebLogicWSS.tst is not an executable test; it intended to serve as a reference, allowing you to compare a working configuration that has been verified by Parasoft against your own. This example configuration has been tested to work with WebLogic 9.2 and later. 

This example assumes that default sign, encrypt and UsernameToken (ut) policies are being used by your WebLogic application. It also assumes that the wss_client certificate (the client public key) has been imported to WebLogic's DemoTrust keystore. 

Note the following:

If you are using the default policies or policies that are built off of the defaults, configure your test settings to match this example in terms of the options selected.

Refer to Oracle's e-docs sites for more information about WebLogic security policies.