BYAMIT KANITKAR

&PRAVEEN GORTHY

IN THE NEXT FEW MINUTES……

What is Model Based Testing?

SOA Overview

Applying MBT to test Web ServicesTools

What is Model-Based Testing (MBT)?“Model-Based Testing is the automatic

generation of efficient test procedures/vectors using models of system requirements and specified functionality.”

- Software Acquisition Gold Practice

Generic Process of Model-Based Testing

Determining the requirements of the systemBuilding the modelCreating the Abstract Test SuiteRunning the test scriptsAnalyzing the resultsDetermining further actions

Why MBT?Shorter development cycleCost-efficientGeneration of quality productsFlaws and ambiguities in the specification

are relatively easy to identifyOne of the most important perceived benefit

is of automated test generation

What are Web Services?

“Web services as self-describing, modular applications that can be published, located and invoked across the web.”

- IBM

Web Service Architecture or Service Oriented Architecture (SOA)

Issues with WS TestingLack of code availabilityDynamic nature of web servicesPlatform independence of web servicesCost considerations

Applying MBT to test WSWhy?

Source code is hiddenOnly Black box techniques can be appliedAnswer to the first three issues on the previous

slide

How?

Generic WS Testing Framework

Web Service Testing Framework (Tarhini and group, IICS 2005)

Four Steps of the ModelSearch the UDDI registry for candidate web

servicesMatch?

Connect to the web service’s siteTest it as a stand-alone componentTest it as a part of the web component based

system under consideration

Testing Conversations Between a Client and a WSApproaches with increasing level of detail

Testing a Single Input InterfaceTesting a Single PortTesting a Single Port Comprising Data

- Lars Frantzen and group (WS-MaTe 2006)

STS ModelSymbolic Transition Model – a variant of

state machine model.Has states and labeled transitions which

model actions, i.e. Inputs and Outputs, of the system.

States and transitions can be parameterized with variables, with predicates serving as guards for the transition so that state explosion can be avoided.

Use STS to model and test the conversation between a client and a WS.

Testing a specific port

STS Diagram

Testing a specific port comprising data

STS Diagram

Jambition tool for testing WSIt takes a WSDL and an SSM specification of

a Web Service as an input. Based on these it fully and automatically

generates invocations to the Web ServiceReceives the returned messagesChecks if this data is conforming to the SSM

specification.

- Lars Frantzen (2007)

Service State Machines (SSM)Dedicated variant of state machines which is

especially useful for Model-Based TestingConstrains the data as it is passed via the

operationsGives a legal ordering of the invocations of

operations.

Tool Architecture

MBT of specific aspects of Web Services

Performance Testing

Performance testing is a technique where

synthetic workloads are submitted to a

system under study within a controlled

environment. The behavior of the system

under this work load is compared with the

expected workload

Model Based Performance TestingWhat do we model? Model the expected work load of the system/service The workload of a Web-based system has to be

characterized in terms of sessions; a session being a sequence of requests submitted by a single user.

The requests exhibit following dependencies 1.Inter request dependencies 2.Data Dependencies. Data dependencies govern the choice of values of

parameters in the request. Requests depend on the responses of earlier requests in a

session. This is Inter request dependencies.

Synthetic workloads are generated from the workload model and application model.

A workload model specifies statistical characterizations for a set of workload attributes that are expected to affect performance the most.

The application model can be used to obtain a large set of valid request sequences representing how users typically interact with the application.

The sequence generator uses the model to produce a large trace containing valid sequences of request types. Each valid sequence of request types as a sessionlet.

Trace generation produce s a trace of sessions that can be submitted to a system under study.

The sessions produced by the trace generator and the specified session inter-arrival time distribution constitute the synthetic workload.

  

- [Ref] A Model-Based Approach for Testing the Performance of Web Applications. Mahnaz Shams, Diwakar Krishnamurthy, Behrouz Far

Security Testing:

Testing the web service for Integrity. Illegal access. Authorization. Availability. Non-Repudiation.

A Model For Testing Access Control of Web ServicesModel identifies the following terms:PA Security policy for access control.

PI Policy for interaction control.

The policy for access control is used for making decision about usage of all web services offered by the partner.

The policy for interaction control is used to decide which credentials must be additionally provided or must be revoked by the user if those available are not adequate to obtain the service.

H History of past requests and services used by the user.CP Set of presented credentials .

CR Set of revocable credential.R Service Request.

To specify how the access control decision is made we define following terms: 

Deduction: Determines whether f is a logical consequence of F, F →f.

Consistency: determines whether F is consistent, F→ ┴Abduction: Given an additional set of atoms A called the

abductible atoms, and a partial order relation ϕ between subsets of A determine a set of atoms E is subset of A such that

(i) f is a logical consequence of F and E, namely F U E→ f. (ii) adding E to F does not generate an inconsistency,

namely F U E →┴, and finally (iii) E is a minimal subset of A having this property

 

Model for Decision Making 

1. Remove the revoked credentials from the set of active credentials.2. Verify the consistency of the request with the active set of credentials and the history of execution, namely PA U H U CA U {r} →┴3. If this check succeeds goes to the next step, otherwise (a) Derive a subset of excessive credentials that must be revoked by the

user CE is subset of CA such that the set CE is minimal. (b) If no such set exists then ┴ is sent back to the user (c) If it exists, this set is sent back to the user and the process is re-

iterated.4. Verify that the request is a logical consequence of the credentials, namely PA U H U CA → r.5. If this check succeeds then access is granted.6. If the step fails (a) Use abduction to find a minimal set of missing credentials CM such that both PA U H U CA U CM → r and PA U H U CA U CM ┴. (b) If this set exists then CM is sent back to the client and the process re-iterates. (c) If it does not exists then. if no such set does exist then ┴ is sent back to

the user. When the request is granted the appropriate grounding of suitable history

predicatesare added to H.

-[Ref] A Logical Model for Security of Web Services Hristo Koshutanski and Fabio Massacci

Service Composition Testing Identify parts of the composition process flow

that have been implemented incorrectly.

Workflow scenarios of the composition are constructed using message sequence charts.

Model checking tool to interactively verify the workflow behavior.

These models can then be used to check BPEL4WS implementations.

Terms that are going to be used.

LTSA - Labeled Transition System Analyzer . Tool which provides a means to construct and analyze

complex models of finite state process specifications.MSC- Message sequence chart extensions to easily model

workflow scenarios.Finite State Processes (FSP)is a textual notation for

concisely describing concurrent programs. BPEL4WS : Business Process Execution Language for web

services

Model Based Verification Architecture

- [Ref] Model-based Verification of Web Service Compositions Howard Foster, Sebastian Uchitel, Jeff Magee, Jeff Kramer

- [Ref] LTSA-WS: A Tool for Model-Based Verification of Web Service Compositions and Choreography Howard Foster, Sebastian Uchitel, Jeff Magee, Jeff Kramer

Other Aspects to be tested:

Speed

Interoperability

Functionality

Reliability

Safety

Questions