I spend a large part of my time developing web services, so I spend a lot of my time testing web services. One of the major tools I have in my toolbelt for automating web service tests is SoapUI. SoapUI does a lot of things, and even does a lot of things which I don't need, but it does the things I need very well. Today, I was trying to set up some testing for the security on my current project. As I was setting up the test request and pointing SoapUI at the appropriate endpoints with invalid http basic authorization credentials, I realized that there was no straight forward way to assert that the http response code was 401 (unauthorized) or 403 (forbidden). I did some digging, and found that you could create a Script Assertion (using Groovy) in the SOAP Test Step and use the pre-defined variable, messageExchange, to examine contents and statistics for the test step.
Asserting that a SOAP request with no credentials was responded to with a 401
Asserting that a SOAP request with invalid credentials was responded to with a 403
The Script Assertion also has access to two other pre-defined variables: context and log. context contains methods which allow you to examine the request and response programmatically and log, well I haven't had to use yet. These are posts for another day.