How to use soapUI for Boundary Scan security tests?
Mystic last edited by Eugene
I've tried to use soapUI to set up a Boundary Scan security test, using the sample wsdl provided in the soapUI tutorial. I changed it so that it has a restriction on the username field for the loginRequest action (cf. below). Yet whenever I try to run the security test, the boundary scan gets "SKIPPED". No error messages get displayed. Does anyone know how to set up a (working) Boundary Scan with SoapUI's free edition?
Changes to WSDL
I replaced the following line
<!-- CHANGED/ADDED --> <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.example.org/sample/" xmlns:tns="http://www.example.org/sample/" > <xsd:simpleType name="usernameType"> <xsd:restriction base="xsd:string"> <xsd:length value="9"/> </xsd:restriction> </xsd:simpleType> <!-- END ADDED -->
<wsdl:message name="loginRequest"> <wsdl:part name="username" type="xsd:string"/>
<wsdl:message name="loginRequest"> <wsdl:part name="username" type="tns:usernameType"/> <!-- CHANGED -->
I've provided more detail of what exactly I did on soapUI's bug tracker board and I'm using soapUI v4.6.4. I'm not sure it's a bug or a simple mistake on my part, so any help would be much appreciated!
UPDATE: When selecting the parameter in the Boundary Scan window, soapUI does complain "parameter is missing type in schema" - which I can't quite understand, because the type is there; cf. XML snippet above.
UPDATE: PARTIALY RESOLVED I just tried the same exercise with our own WSDL, and got a different "error" message: "No restrictions in schema are specified for this parameter!" Turns out soapUI has the xsd namespace hard-coded in; changing it in our own WSDL to xsd (so it reads xsd:restriction) fixes the issue for our own WSDL. No idea what the initial error (with the sample WSDL) is about, though. Hints are still appreciated. But at least it's now working for us...
This bug has been raised with SmartBear and details can be found here;
At time of writing, there is a workaround, but not a "fix" in place.