We've been moving our web services over from Oracle Application Server 10g to WebLogic 12c. This meant that the authorisation settings for these services have changed. We were no longer using the same users/passwords to authenticate to a web service with each request. While testing this out I've noticed that SoapUI had some really odd behaviour and was not respecting some of the authorisation settings that I used.

The problem I observed came about when I set SoapUI to use 'No Authorization' after having set up Basic authorisation.


For some strange reason my web service responded even though it is made to fail any unauthorised requests.




I tried a few things including restarting my WebLogic server, restarting SoapUI, changing the request URL, none of this seemed to matter. I even tried the Delete Current option under the Authorization drop down box, that didn't work either. My web service kept on responding when it should not have been.

What I noticed is even when I set No Authorization and deleted the current Authorization settings, the Request Properties box on the left kept the user name and password! Removing these manually in the properties editor made my web service fail as expected.



However, when these were removed manually and I selected to have Basic authentication again, the user name and password were gone (I guess as expected).

This is some odd behaviour I think and it persists between versions 5.0.0 and 5.1.2. I've tested this on OS X Yosemite only.

So to summarise, these are the steps to reproduce the problem:
1. Add Basic authorisation to your request
2. Run the request
3. Select No Authorization
4. Run the request

This assumes that your web service is set up to server only after the user has been successfully authenticated.

-i