Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.
Notice: I'm taking a break from blogging to focus on Atari Gamer . com, check it out!

NOTE: This article is 3 years or older so its information may no longer be relevant. Read on at your own discretion! Comments for this article have automatically been locked, refer to the FAQ for more details.
We've been moving our web services over from Oracle Application Server 10g to WebLogic 12c. This meant that the authorisation settings for these services have changed. We were no longer using the same users/passwords to authenticate to a web service with each request. While testing this out I've noticed that SoapUI had some really odd behaviour and was not respecting some of the authorisation settings that I used.

The problem I observed came about when I set SoapUI to use 'No Authorization' after having set up Basic authorisation.

For some strange reason my web service responded even though it is made to fail any unauthorised requests.

I tried a few things including restarting my WebLogic server, restarting SoapUI, changing the request URL, none of this seemed to matter. I even tried the Delete Current option under the Authorization drop down box, that didn't work either. My web service kept on responding when it should not have been.

What I noticed is even when I set No Authorization and deleted the current Authorization settings, the Request Properties box on the left kept the user name and password! Removing these manually in the properties editor made my web service fail as expected.


However, when these were removed manually and I selected to have Basic authentication again, the user name and password were gone (I guess as expected).

This is some odd behaviour I think and it persists between versions 5.0.0 and 5.1.2. I've tested this on OS X Yosemite only.

So to summarise, these are the steps to reproduce the problem:
1. Add Basic authorisation to your request
2. Run the request
3. Select No Authorization
4. Run the request

This assumes that your web service is set up to server only after the user has been successfully authenticated.


Skip down to comments...
A quick disclaimer...

Although I put in a great effort into researching all the topics I cover, mistakes can happen. If you spot something out of place, please do let me know.

All content and opinions expressed on this Blog are my own and do not represent the opinions of my employer (Oracle). Use of any information contained in this blog post/article is subject to this disclaimer.
comments powered by Disqus
Other posts you may like...