QA How-To
Testing SOAP web services (2026)
Learn testing SOAP web services through WSDL, XML, namespaces, headers, faults, WS-Security, interoperability, performance, and runnable Java tests in CI.
23 min read | 3,333 words
TL;DR
Testing SOAP web services requires contract, transport, XML, business, fault, security, and interoperability coverage. Validate WSDL and XSD artifacts, send version-correct envelopes, parse namespaces safely, assert typed SOAP Faults, and automate critical flows with both raw HTTP and generated-client tests.
Key Takeaways
- Treat the WSDL and imported XSD files as an executable contract, not background documentation.
- Validate HTTP binding, SOAP version, namespaces, envelope structure, and payload values separately.
- Assert SOAP Fault semantics because HTTP status alone cannot describe a SOAP failure correctly.
- Use namespace-aware XML parsing and hardened parser settings in automated tests.
- Test WS-Security timestamps, signatures, tokens, replay defense, and intermediaries with controlled credentials.
- Keep a small raw-HTTP layer even when generated clients provide most functional coverage.
A sound approach to testing SOAP web services validates a formal XML messaging contract across several layers: HTTP transport, SOAP envelope, namespaces, WSDL and XSD definitions, business data, faults, security headers, and deployed intermediaries. The most reliable approach tests each layer explicitly instead of treating a generated client call as one indivisible pass or fail result.
SOAP remains important in banking, insurance, government, telecom, travel, healthcare, and enterprise integration. Many services are stable for years, but stability does not remove risk. A harmless-looking namespace change can break deserialization, an intermediary can reject a signed message, or an HTTP 500 can contain the exact business fault a consumer expects. QA needs to read the wire message as confidently as the client library does.
This guide focuses on SOAP 1.1 and SOAP 1.2 over HTTP, WSDL 1.1 style contracts, XML Schema, and common WS-Security concerns. It stays tool-neutral where vendor stacks differ and includes a runnable Java test built on the standard HttpClient plus JUnit 5.
TL;DR
| Layer | What to validate | Typical defect |
|---|---|---|
| WSDL and XSD | Imports, operations, types, occurrence and constraints | Client generation fails after an unnoticed contract change |
| HTTP binding | Method, content type, action, status, TLS | SOAP 1.1 headers sent to a SOAP 1.2 endpoint |
| Envelope | Version namespace, Header, Body, element order | Correct values in the wrong namespace |
| Business payload | Required fields, boundaries, rules, precision | Schema-valid request violates a domain invariant |
| Fault | Code, reason, subcode, detail, correlation | Test checks only HTTP 500 and misses fault meaning |
| Security | Token, timestamp, signature, encryption, replay | Valid credential with a stale timestamp is accepted |
| Operations | Latency, size, concurrency, observability | Large XML causes memory pressure or slow parsing |
Use generated clients for broad business scenarios, raw XML for protocol and negative cases, schema validators for contract precision, and deployed-path tests for TLS, gateways, and WS-Security interoperability.
1. Message anatomy when testing SOAP web services
A SOAP message is an XML document with an Envelope root in the namespace for its SOAP version. The optional Header carries extensible metadata such as security, addressing, transactions, or application context. The required Body carries one application message or a SOAP Fault. Namespaces determine element identity, so m:GetOrder is not equivalent to an unqualified GetOrder merely because the local names match.
SOAP 1.1 uses the envelope namespace http://schemas.xmlsoap.org/soap/envelope/. SOAP 1.2 uses http://www.w3.org/2003/05/soap-envelope. A request built for one version should not be silently accepted as the other unless a documented compatibility layer exists. The HTTP binding also differs. SOAP 1.1 commonly uses text/xml and a separate SOAPAction header. SOAP 1.2 uses application/soap+xml, with an optional action media type parameter. Follow the service's binding rather than assuming every endpoint handles both.
An operation's body style may be document or RPC, and its parts may be literal or encoded in older contracts. Document/literal is common, but legacy systems require careful reading. WSDL binding, not intuition, tells you the expected wrapper, namespace, action, and endpoint.
Build assertions in layers. First, did the expected endpoint accept the transport? Second, is the response a valid SOAP envelope of the intended version? Third, is the body a success message or Fault? Fourth, does the application payload satisfy schema and business rules? This layered diagnosis prevents a namespace error from being mislabeled as a calculation defect.
2. Turn WSDL and XSD into a contract test plan
A WSDL describes service interfaces and their bindings. In WSDL 1.1 terms, examine types, message, portType, binding, and service. Follow every imported WSDL and XSD. Relative import paths, inaccessible certificates, duplicate namespace definitions, and environment-specific locations are frequent causes of client generation failure. Test the published document from the same network position as consumers.
For each operation, record input and output messages, SOAP action, endpoint, style, required headers, success payload, and declared faults. For every schema element, inspect type, namespace, order within a sequence, minOccurs, maxOccurs, nillable, length, pattern, enumeration, numeric bounds, and precision. Generate partitions from these constraints, but do not stop at schema validity. A transfer amount can be schema-valid while exceeding the available balance.
Version the full contract closure, not just the top-level WSDL. A checksum or semantic diff should include imported artifacts. Classify changes as additive, restrictive, or breaking. Adding an optional element may be compatible for tolerant consumers, while changing an enumeration or required element can break generated clients. Re-run representative consumers after any contract change.
Schema validation can catch structural drift earlier than end-to-end business assertions. The techniques in OpenAPI schema testing translate conceptually, but SOAP uses XML Schema, namespace qualification, and WSDL bindings rather than JSON Schema and REST paths. Keep known-valid request and response fixtures and known-invalid mutations. These become regression assets and help reviewers understand exactly what changed.
3. Compare SOAP 1.1 and SOAP 1.2 test expectations
Version confusion creates failures that look like server instability. Put version-specific expectations in data rather than scattering string checks through a suite. The following table is a practical reference, but the actual WSDL binding remains authoritative.
| Concern | SOAP 1.1 | SOAP 1.2 |
|---|---|---|
| Envelope namespace | http://schemas.xmlsoap.org/soap/envelope/ |
http://www.w3.org/2003/05/soap-envelope |
| Common HTTP content type | text/xml |
application/soap+xml |
| Action on HTTP | Commonly SOAPAction header |
Commonly action parameter on content type |
| Fault code element | faultcode |
env:Code with optional env:Subcode |
| Human-readable fault | faultstring |
env:Reason with one or more env:Text values |
| Application detail | detail |
env:Detail |
Test the media type with permitted parameters instead of using a brittle full-string equality. Character set handling should match the binding and actual XML declaration. Send a deliberate version mismatch and assert a standards-compatible or documented fault rather than a generic HTML error from infrastructure. An HTML error page where XML is promised should fail the contract test even if its status is 500.
Action handling also deserves negative coverage. Send a missing action, wrong action, quoted and unquoted forms where relevant, and an action that names another operation. The service should not route a body to an operation solely because an untrusted action header says so. Conversely, a correct body with the wrong required action should produce a clear client fault, not invoke an unintended method.
If one URL supports both versions, run the complete matrix for both. If versions have separate endpoints, prove that cross-version requests are rejected. This prevents a gateway upgrade from silently routing SOAP 1.1 traffic into a SOAP 1.2-only backend.
4. Create a raw HTTP baseline before using a generated client
Generated clients increase productivity but can conceal the exact envelope, headers, default values, and fault body. Establish one known request at the HTTP level. The following SOAP 1.1 example is runnable with curl against an authorized calculator-style test service. Replace the URL and operation namespace with values from your own WSDL. Save the XML in add-request.xml so shell quoting does not alter it.
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:cal="http://example.test/calculator">
<soapenv:Header/>
<soapenv:Body>
<cal:AddRequest>
<cal:left>7</cal:left>
<cal:right>5</cal:right>
</cal:AddRequest>
</soapenv:Body>
</soapenv:Envelope>
curl --fail-with-body --silent --show-error \
--request POST \
--header 'Content-Type: text/xml; charset=utf-8' \
--header 'SOAPAction: "http://example.test/calculator/Add"' \
--data-binary @add-request.xml \
https://service.example.test/calculator
Use --data-binary, not a form-oriented option that may transform newlines or content. During investigation, add response headers to the captured output and use verbose TLS details only in a secure local log. Do not print credentials, security tokens, signatures, or private payloads in shared CI artifacts.
Create the baseline from the published contract, not by copying an opaque client capture and assuming it is correct. Confirm namespaces, element order, data types, content type, action, and endpoint. Once the baseline works, create one-variable mutations: omit a required element, change a namespace, duplicate a singleton, use an invalid enumeration, send malformed XML, and change the action. Single mutations make fault diagnosis much clearer.
5. Automate a SOAP response test with Java HttpClient and JUnit
Java's standard HttpClient gives a transparent transport layer without generated proxies. JUnit 5 provides the test runner and assertions. The example below requires Java 17 or later because it uses a text block. It posts a SOAP 1.1 request, verifies the HTTP and media-type layer, parses XML with namespace awareness, disables dangerous external entity features, rejects a Fault, and asserts the operation result.
import static org.junit.jupiter.api.Assertions.*;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathFactory;
import org.junit.jupiter.api.Test;
import org.w3c.dom.Document;
import org.xml.sax.InputSource;
import java.io.StringReader;
class CalculatorSoapTest {
@Test
void addsTwoNumbers() throws Exception {
String endpoint = System.getProperty(
"soap.endpoint", "https://service.example.test/calculator");
String envelope = """
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:cal="http://example.test/calculator">
<soapenv:Header/>
<soapenv:Body>
<cal:AddRequest><cal:left>7</cal:left><cal:right>5</cal:right></cal:AddRequest>
</soapenv:Body>
</soapenv:Envelope>
""";
HttpRequest request = HttpRequest.newBuilder(URI.create(endpoint))
.header("Content-Type", "text/xml; charset=utf-8")
.header("SOAPAction", "\"http://example.test/calculator/Add\"")
.POST(HttpRequest.BodyPublishers.ofString(envelope, StandardCharsets.UTF_8))
.build();
HttpResponse<String> response = HttpClient.newHttpClient().send(
request, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8));
assertEquals(200, response.statusCode());
assertTrue(response.headers().firstValue("Content-Type")
.orElse("").toLowerCase().startsWith("text/xml"));
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
Document document = factory.newDocumentBuilder().parse(
new InputSource(new StringReader(response.body())));
var xpath = XPathFactory.newInstance().newXPath();
Double faultCount = (Double) xpath.evaluate(
"count(/*[local-name()='Envelope']/*[local-name()='Body']/*[local-name()='Fault'])",
document, XPathConstants.NUMBER);
assertEquals(0.0, faultCount);
String result = xpath.evaluate(
"string(//*[local-name()='AddResult'])", document).trim();
assertEquals("12", result);
}
}
For production test code, prefer explicit namespace mappings over broad local-name() expressions so the test fails when the application namespace drifts. The broad expression keeps this example compact. Add XSD validation using the exact versioned schemas and preserve a redacted response when parsing fails.
Do not disable TLS certificate validation to make automation pass. Install the correct internal CA in the test runtime or use an environment with a trusted certificate. Transport security is part of the deployed contract, especially when WS-Security protects the message but not every HTTP metadata field.
6. Design positive, boundary, negative, and SOAP Fault tests
Positive coverage should include every operation and the main business variants, not every permutation. Verify response types, identifiers, money precision, timestamps, optional and repeating elements, and side effects. For asynchronous or idempotent operations, check correlation IDs and duplicate-submission policy. A successful XML response is incomplete evidence if the database or downstream system changed incorrectly.
Derive structural boundaries from XSD: minimum and maximum lengths, inclusive and exclusive numeric limits, decimal scale, enumerations, patterns, dates, required elements, optional elements, repeated collections, xsi:nil, and element order. Distinguish omitted from explicitly nil because generated code and business logic may treat them differently. Include Unicode and XML-reserved characters as data. Let the XML serializer escape them rather than manually concatenating strings.
Negative requests should remain well-formed XML when testing schema or business validation. Use malformed XML only for parser behavior. This distinction tells you whether the service returned the correct fault layer. Test missing required headers, wrong namespace, unexpected element, duplicate element, wrong type, invalid business reference, unauthorized operation, oversized permitted message, and unsupported action.
Assert Fault structure, not only HTTP status. For SOAP 1.1, inspect faultcode, faultstring, optional faultactor, and detail. For SOAP 1.2, inspect Code, optional nested Subcode, localized Reason/Text, optional Role and Node, and Detail. Verify fault codes classify sender versus receiver responsibility correctly, detail is machine-readable where promised, and internal stack traces or secrets are absent. A useful error contract enables consumers to decide whether to correct, retry, or escalate.
Extend this method with API error handling and negative testing. SOAP Fault is the protocol container, while domain detail still needs stable error identifiers, safe messages, and correlation.
7. Test WS-Security and message-level protection
WS-Security can carry username tokens, binary security tokens, signatures, encryption references, and timestamps in the SOAP Header. Exact profiles vary, so use the service policy and interoperable security specification as the contract. A request that merely contains a Security element is not necessarily protected. Verify what is signed, what is encrypted, which key and algorithm policy applies, and which recipient can process it.
Build positive tests with a controlled test identity and synchronized clocks. Then mutate one property at a time: wrong password, unknown certificate, expired certificate, stale timestamp, timestamp too far in the future, modified signed body, missing signature reference, altered ID attribute, untrusted issuer, wrong audience, and replayed message. The service should fail closed with a safe, classifiable Fault and must not perform the business action.
Signature wrapping and XML structure attacks require specialist review and authorized security testing. QA can still add strong regression tests by taking a valid signed fixture, moving or duplicating referenced elements in a controlled lab, and proving the verifier binds the signature to the element the application actually processes. Never improvise these probes against a shared or production service.
Test intermediaries. A gateway may terminate TLS, validate a token, add WS-Addressing headers, or forward the original signed envelope. If any intermediary rewrites whitespace, namespaces, IDs, or signed elements, signature verification may fail. Exercise the complete deployed path and direct service path where permitted. Redact tokens, certificates where sensitive, canonicalized signed material, and personal data from logs.
Security headers do not replace transport protections. Verify TLS hostname and trust, client certificates if used, authorization of the operation and object, replay defense, and safe error behavior. Use OWASP API security testing practices for access control and abuse cases beyond the SOAP envelope.
8. Client interoperability when testing SOAP web services
A service is not proven compatible because one vendor's client succeeds. Generate or configure at least the representative client stacks used by real consumers. Differences appear around optional elements, empty collections, xsi:nil, date and time zones, decimal precision, polymorphic types, MTOM attachments, action quoting, and fault deserialization. Prioritize actual supported consumers rather than building an arbitrary compatibility zoo.
Keep a raw XML test beside generated-client tests. The raw test proves the wire contract directly. Generated clients prove that toolchains interpret that contract as intended. When a generated client fails, capture a redacted request and response and compare namespaces, element order, media type, action, and encoding. Avoid editing generated source files because regeneration erases the fix. Configure bindings or add an adapter in maintained code.
For backward compatibility, run older supported clients against the new service and a new client against the prior service when release topology permits. Additive optional elements may still break consumers that reject unknown XML. An XSD-compatible change is not automatically ecosystem-compatible. Contract tests owned jointly by provider and consumers make this risk visible.
Attachments need specialized cases. For MTOM or SwA, validate MIME boundaries, content IDs, declared types, binary integrity, size limits, antivirus or content rules, and faults for missing parts. Do not base64-compare transformed content without understanding canonical representation. Hash the original and received bytes when exact preservation is required.
Finally, test localization and encodings the product supports. XML parsers understand Unicode, but databases, generated bindings, and legacy mainframe adapters may not. Include non-ASCII names, combining characters, and XML escaping in ordinary payloads without turning the suite into random fuzzing.
9. Cover reliability, performance, and operational limits
SOAP payloads can be larger and more CPU-intensive than equivalent compact formats because XML parsing, schema validation, signature verification, and canonicalization cost resources. Performance tests should report payload shapes, message sizes, operation mix, security mode, concurrency, connection reuse, and environment. Avoid a universal latency claim. A signed attachment operation and a small read operation are different workloads.
Measure end-to-end latency plus server processing, downstream time, XML parse or validation failures, fault rate by code, throughput, CPU, memory, garbage collection, connection pool behavior, and queue depth. Test small, typical, and maximum allowed messages. Verify size limits fail early with a documented response rather than consuming excessive memory. Include deeply nested but authorized test XML within safe lab limits to assess parser protections.
Reliability cases include dependency timeout, connection reset, partial response, duplicate request, delayed response, and server restart. Decide which operations are safe to retry. A payment or order creation needs an idempotency or business reference strategy before a client repeats it. Test that a lost response followed by retry does not create duplicate side effects. Read-only operations may have simpler retry rules, but still need bounded attempts and backoff.
Observe every request with a safe correlation identifier across gateway, service, and dependency logs. Capture Fault code and operation, not full sensitive envelopes. Track schema-validation errors separately from business faults and infrastructure failures. A dashboard that combines them all as HTTP 500 prevents meaningful diagnosis.
10. Organize SOAP automation and CI gates
Place WSDL and XSD linting, import resolution, semantic diffing, and generated-client compilation early in CI. These checks are fast and catch contract breakage before deployment. Run schema fixtures and component-level handler tests next. Then execute raw HTTP protocol tests and generated-client business tests against an ephemeral or integration environment.
Use data builders that serialize XML through a trusted library. Keep golden XML only where exact wire shape is the subject of the test. Broad snapshot comparison is fragile because namespace prefixes, insignificant formatting, and element ordering rules differ. Compare XML semantically with namespaces and apply exact assertions to values that matter.
Separate safe functional negatives from intrusive security tests. Malformed XML, entity expansion, signature wrapping, huge payloads, and concurrency stress can affect availability. Run them only in an authorized, isolated environment with limits and monitoring. Mark their pipeline and ownership clearly.
For release evidence, report operations covered, contract versions, client stacks, security profiles, message-size partitions, fault families, and environments. Link failures to redacted request and response artifacts. If the team also uses consumer-driven contracts, review API contract testing with Pact for the broader contract-testing mindset, while recognizing that SOAP's WSDL and XML tooling usually needs a SOAP-aware implementation.
Interview Questions and Answers
Q: What do you validate first in a SOAP service?
I start with the WSDL, imported schemas, binding, endpoint, SOAP version, action, and required headers. Then I validate one known request at the raw HTTP level before expanding business and negative scenarios.
Q: Why is namespace-aware parsing important?
XML element identity includes its namespace URI, not just its prefix or local name. A test that ignores namespaces can accept an element from the wrong contract. Prefixes may change without changing meaning, so assertions should bind to namespace URIs.
Q: How are SOAP 1.1 and 1.2 faults different?
SOAP 1.1 uses elements such as faultcode, faultstring, and detail. SOAP 1.2 uses a structured Code, optional Subcode, one or more localized Reason texts, and Detail. Tests should parse the structure for the actual envelope version.
Q: Why keep raw XML tests if generated clients work?
Generated clients can hide headers, namespaces, defaults, and serialization behavior. Raw tests give direct control over version mismatch, malformed structure, missing headers, and exact faults. Generated clients remain valuable for representative consumer compatibility.
Q: How do you test WS-Security replay protection?
I send one valid secured request, then resend the same signed message and identifier within a controlled environment. The service should reject the replay according to policy and must not repeat the business side effect. I also cover stale and future timestamps.
Q: Should every SOAP Fault return HTTP 500?
No universal assertion should be hardcoded without the binding and service contract. SOAP versions and bindings define fault handling, and products may distinguish transport from application outcomes. The test must assert both the expected HTTP response and the structured Fault.
Q: What makes a SOAP performance test credible?
It states the operation mix, payload sizes, security processing, connection behavior, concurrency, duration, and environment. It measures application and infrastructure signals, not only average response time, and it includes maximum permitted documents and dependency failures.
Common Mistakes
- Checking only HTTP status and ignoring the SOAP Body or Fault.
- Comparing namespace prefixes instead of namespace URIs. Prefix text can change without changing XML meaning.
- Sending SOAP 1.1 headers to a SOAP 1.2 binding or the reverse.
- Treating schema validity as proof of correct business behavior. Domain invariants need separate assertions.
- Editing generated client source. Regeneration removes the change and hides the actual binding problem.
- Building negative XML by accidental string corruption. Mutate one intentional property and keep other layers valid.
- Accepting HTML gateway errors where a SOAP response is promised. Validate media type and envelope before payload.
- Disabling TLS verification in CI. Configure trust correctly and test the deployed certificate path.
- Parsing untrusted XML with external entities enabled. Harden test parsers as well as production parsers.
- Logging full WS-Security headers or customer envelopes. Redact credentials and sensitive payloads.
Conclusion
Testing SOAP web services is most effective when the suite respects every contract layer. Start with WSDL and schemas, prove one version-correct raw request, validate the envelope and namespace-aware payload, and assert typed Faults. Add generated clients, WS-Security, backward compatibility, attachments, operational limits, and deployed intermediaries according to real risk.
Build the Java baseline against a safe test endpoint, then turn each WSDL constraint and business rule into a focused partition. A layered suite produces clearer failures, protects long-lived enterprise consumers, and makes even a complex SOAP integration maintainable.
Interview Questions and Answers
Explain your test strategy for a new SOAP service.
I inventory WSDL imports, schemas, operations, bindings, versions, and security policies. I establish one raw HTTP baseline, then add schema partitions, business rules, typed faults, representative generated clients, and deployed-path security. Reliability and capacity tests follow the operation risk.
Why can a SOAP response be valid XML but still be invalid?
Well-formed XML only proves syntax. The document can use the wrong SOAP namespace, violate the XSD, contain a Fault, break an application invariant, or represent an unauthorized result. I validate those layers separately.
How do you test a WSDL change for backward compatibility?
I diff the full WSDL and XSD import closure, classify semantic changes, regenerate supported clients, and run older clients against the new service. I pay special attention to required elements, restrictions, enumeration changes, wrapper shape, and faults.
What negative SOAP tests provide the most value?
I cover wrong version, media type and action, missing required elements, namespace drift, occurrence and boundary violations, authorization failures, malformed XML, and application-invalid values. Each mutation changes one layer so the expected Fault is clear.
How do you parse SOAP safely in test automation?
I enable namespace awareness and disable DTD declarations, external general entities, external parameter entities, and external resource access. I assert the expected envelope namespace before selecting business elements. Test tooling should not introduce XML security risk.
How do you test SOAP actions?
I send the documented action with the matching body, then cover missing, incorrect, and cross-operation actions. I verify the service neither invokes the wrong operation nor returns an unstructured infrastructure error. Expectations differ between SOAP 1.1 and SOAP 1.2 bindings.
How would you diagnose a generated client interoperability failure?
I capture redacted wire messages and compare envelope namespace, action, content type, element qualification and order, nil handling, dates, and fault shape with the WSDL. I reproduce the call with raw XML, then fix bindings or an adapter rather than generated source.
Frequently Asked Questions
How do you test a SOAP web service?
Read the WSDL and imported XSD files, build a version-correct envelope, send it with the documented HTTP binding, and validate status, media type, envelope, payload, and Fault. Add business boundaries, security, interoperability, performance, and reliability tests.
What is WSDL testing?
WSDL testing verifies that the published contract and every import resolve, accurately describe operations and bindings, and remain compatible with consumers. It also derives schema and fault test cases from message definitions.
What is the difference between SOAP 1.1 and SOAP 1.2 testing?
They use different envelope namespaces, common HTTP media types, action conventions, and Fault structures. Tests should take expectations from the declared binding and deliberately reject or classify version mismatches.
Can REST Assured test SOAP services?
An HTTP testing library can send XML bodies and inspect responses, so it can cover many SOAP-over-HTTP cases. You still need namespace-aware XML, WSDL or XSD validation, version-correct headers, and structured Fault assertions.
How do you validate a SOAP Fault?
Parse the Fault according to the envelope version and assert its code, reason, optional subcode or actor information, application detail, and safe correlation data. Also verify the documented HTTP response and absence of secrets or stack traces.
How do you test WS-Security?
Test a valid security profile, then vary tokens, timestamps, trust, signature coverage, encrypted content, audience, and replay. Run intrusive XML and signature mutation cases only in an authorized environment.
Should SOAP XML be compared as raw strings?
Usually no. Namespace prefixes and formatting can differ while XML meaning stays the same. Use namespace-aware semantic comparison and reserve exact string checks for a specific wire-format requirement.