Category: Soap

How to consume a WebService that uses Ws-Security Authentication (UsernameToken) – OWSM – Oracle Service Bus (OSB)


The Oracle Service Bus (OSB) allows to enable OWSM authentication, there is many policies that can be applied to the Proxy Service to turn on security authentication. The most basic of this policies is:

oracle / wss_username_token_service_policy

Requiring only a username and password. Once enabled this security, following a tip on how to make a request using a Java Client.

File: – This is a main class to make a request

import java.math.BigInteger;
import java.util.ArrayList;
import java.util.GregorianCalendar;
import java.util.List;

import javax.xml.datatype.DatatypeConstants;
import javax.xml.datatype.DatatypeFactory;
import javax.xml.datatype.XMLGregorianCalendar;

public class MainPost {

	public static void main(String[] args) {

		try {

			MyService service = new MyService();
			MyServicePort myServicePort = service.getMySoapPort();

			// This is the block that apply the Ws Security to the request
			BindingProvider bindingProvider = (BindingProvider) myServicePort;
			List<Handler> handlerChain = new ArrayList<Handler>();
			handlerChain.add(new WSSecurityHeaderSOAPHandler("myUsername", "myPassword"));

			RequestType myRequest = new RequestType();

			ResponseType response = myServicePort.searchSomething(myRequest);

		} catch (Exception e) {

File: – This is a handler responsible for creating the header authentication.

import java.util.Set;

import javax.xml.namespace.QName;
import javax.xml.soap.SOAPElement;
import javax.xml.soap.SOAPEnvelope;
import javax.xml.soap.SOAPHeader;

public class WSSecurityHeaderSOAPHandler implements SOAPHandler<SOAPMessageContext> {

 private static final String SOAP_ELEMENT_PASSWORD = "Password";
 private static final String SOAP_ELEMENT_USERNAME = "Username";
 private static final String SOAP_ELEMENT_USERNAME_TOKEN = "UsernameToken";
 private static final String SOAP_ELEMENT_SECURITY = "Security";
 private static final String NAMESPACE_SECURITY = "";
 private static final String PREFIX_SECURITY = "wsse";

 private String usernameText;
 private String passwordText;

 public WSSecurityHeaderSOAPHandler(String usernameText, String passwordText) {
 this.usernameText = usernameText;
 this.passwordText = passwordText;

 public boolean handleMessage(SOAPMessageContext soapMessageContext) {

 Boolean outboundProperty = (Boolean) soapMessageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);

 if (outboundProperty.booleanValue()) {

 try {
 SOAPEnvelope soapEnvelope = soapMessageContext.getMessage().getSOAPPart().getEnvelope();

 SOAPHeader header = soapEnvelope.getHeader();
 if (header == null) {
 header = soapEnvelope.addHeader();

 SOAPElement soapElementSecurityHeader = header.addChildElement(SOAP_ELEMENT_SECURITY, PREFIX_SECURITY,

 SOAPElement soapElementUsernameToken = soapElementSecurityHeader.addChildElement(SOAP_ELEMENT_USERNAME_TOKEN, PREFIX_SECURITY);
 SOAPElement soapElementUsername = soapElementUsernameToken.addChildElement(SOAP_ELEMENT_USERNAME, PREFIX_SECURITY);

 SOAPElement soapElementPassword = soapElementUsernameToken.addChildElement(SOAP_ELEMENT_PASSWORD, PREFIX_SECURITY);

 } catch (Exception e) {
 throw new RuntimeException("Error on wsSecurityHandler: " + e.getMessage());


 return true;

 public void close(MessageContext context) {
 // TODO Auto-generated method stub

 public boolean handleFault(SOAPMessageContext context) {
 // TODO Auto-generated method stub
 return true;

 public Set<QName> getHeaders() {
 // TODO Auto-generated method stub
 return null;

Xml Request: This is the payload request that Java Client request to the server.

<soapenv:Envelope xmlns:soapenv="">
 <wsse:Security xmlns:wsse="">
 <wsse:Password Type="">myPassword</wsse:Password>

Capturing Soap Message through Http Traffic (Web Services)


In this post i will to learn how to capture the Soap traffic communication of a Web Service.

I will cover two tools for this:

Suppose that i have my webservice running in this endpoint:

Solution 1) Using WireShark:

WireShark is a tool for capture packets from network where the computer is on. We will use this tool for capture our http packet with soap message.
For download this tool access here:

If you are in a Debian Linux just make it: sudo apt-get install wireshark

Obs.: In linux you should execute the wireshark as “sudo wireshark” for access the network.

Step 1) Install Wireshark
Step 2) Open wireshark and go to: Edit -> Preferences -> Protocols -> HTTP and put your port at TCP Ports. In our example is 9876. Click at OK
Step 3) Go to Capture -> Interfaces -> Click at Options in your correct network adapter -> And fill as below:

Just type the filter “xml” at filter box and click at Apply:

Right now, you shouls invoke the Web Service through your favorite Client. (SoapUI for example, or from your software, java, python, ruby and etc …)

Finally, you will see the two packet http (Request and Response):

You can see many informations such as packet size, your soap envelope and many many others.

Observation: Using WireShark you need to use the ip, not use localhost or because wireshark read the traffic when the message to come from other machine. So your client should be in other physical machine or other Virtual Machine works too

Solution 2: Using Apache TCPMON tool

The apache tcpmon is a tool that works like a proxy, your endpoint in your client should point to tcpmon and tcpmon point to your real webservice.

This tool is available here:

This is a tutorial for how to use it:

Observation: This tool works with localhost and

That is it. There is a lots of tool for capture packets and traffic Soa. These two is the most used for this proposit.

Victor Jabur.