WS-Security Core

After introducing XML Signature and XML encryption, we learned how to use XML to ensure message integrity and confidentiality ). How to apply it to the Web service to ensure the security of the web service is described in the WS-Security Specification. We know that the Web Service uses soap as the message encapsulation protocol. Therefore, the WS-Security Specification mainly describes how to combine XML security (XML Signature and XML encryption) with existing security technologies (Kerberos, x.509, SAML), and bind them to soap.

Note

A good way to think about WS-Security is that it is a specification that takes XML security (XML encryption and XML signature); links that with pre-existing security technologies that it CILS tokens, such as X.509, Kerberos, and SAML; and binds it all to soap so that it can become part of a secure web service interaction.

Note

Soap describes the packaging format of web service messages, rather than the message transmission protocol. The transmission protocol of web service can be HTTP, TCP, or even SMTP.

<S: envelope>
<S: Header>
<Wsse: Security>
<! -- Security token -->
<Wsse: userNameToken>
...
</Wsse: userNameToken>

<! -- XML signature -->
<DS: Signature>
...
<DS: Reference uri = "# Body">
...
</DS: Signature>

<! -- XML encryption reference list -->
<Xenc: referencelist>
<Xenc: datareference uri = "# Body"/>
</Xenc: referencelist>
</Wsse: Security>
</S: Header>
<S: Body>
<! -- XML encrypted body -->
<Xenc: encrypteddata id = "body" type = "content">
...
</Xenc: encrypteddata>
</S: Body>
</S: envelope>

The preceding is a typical example of using the WS-Security Protocol to ensure the security of soap messages. We can see that the WS-Security Protocol is mainly used to expand the header of the SOAP message-the wsse: security element is added. Security tokens, XML signature, and XML encryption reference list are defined for authentication, integrity, and confidentiality. The business content to be encrypted in the soap package (usually the entire soap body is encrypted) is replaced by the elements processed by the XML encryption (encrypteddate.
 
The following figure roughly describes the elements contained in WS-Security and their relationships.

 

(Note that this image is just one image. For example, DS: Signature can also sign the elements in the soap head)

From the previous introduction to XML Signature and XML encryption, we have learned the specific process of signature and encryption, as well as the meaning of each element generated throughout the process. The following describes how to use XML Signature and XML encryption in WS-Security from a specific soap envelop that uses the WS-Security Specification.

<? XML version = "1.0" encoding = "UTF-8"?>
<SOAP-ENV: envelope xmlns: SOAP-ENV = "http://www.w3.org/2001/12/soap-envelope"
Xmlns: DS = "http://www.w3.org/2000/09/xmldsig"
Xmlns: xenc = "http://www.w3.org/2001/04/xmlenc"
Xmlns: wsu = "http://schemas.xmlsoap.org/ws/2002/07/utility">
<SOAP-ENV: Header>
<Wsse: Security
Xmlns: wsse = "http://schemas.xmlsoap.org/ws/2002/secext">
<Wsse: userNameToken wsu: Id = "usertoken">
<Wsse: username> container service </wsse: username>
<Wsse11: salt> sdfer .. </wsse11: salt>
<Wsse11: Iteration& Gt; 1000 </wsse11: iteration & gt;
</Wsse: userNameToken>
<DS: Signature>
<DS: signedinfo>
<DS: canonicalizationmethod
Algorithm = "http://www.w3.org/2001/10/xml-exc-c14n#"/>
<DS: signaturemethod
Algorithm = "http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<DS: Reference uri = "# discountedbookingforpartnersresponse">
<DS: digestmethod algorithm = "http://www.w3.org/2000/09/xmldsig#sha1"/>
<DS: digestvalue> jwfsd3eqc0ixljm5pklh7... </DS: digestvalue>
</DS: reference>
</DS: signedinfo>
<DS: signaturevalue> bsxljbsifdm5plhk... </DS: signaturevalue>
<DS: keyinfo>
<Wsse: securitytokenreference>
<Wsse: Reference uri = "# usertoken"/>
</Wsse: securitytokenreference>
</DS: keyinfo>
</DS: Signature>
<Xenc: referencelist>
<Xenc: datareference uri = "# discountresponse"/>
</Xenc: referencelist>
</Wsse: Security>
</SOAP-ENV: Header>
<SOAP-ENV: Body wsu: Id = "discountedbookingforpartnersresponse">
<S: getspecialdiscountedbookingforpartnersresponse
Xmlns: S =? Http://www.MyHotel.com/partnerservice?>
<Xenc: encrypteddata
Wsu: Id = "discountresponse"
Type = "http://www.w3.org/2001/04/xmlenc#Element">
<Xenc: encryptionmethod
Algorithm = "http://www.w3.org/2001/04/xmlenc#aes256_cbc"/>
<DS: keyinfo xmlns: DS = 'HTTP: // www.w3.org/2000/09/xmldsigath'>
<Wsse: securitytokenreference>
<Wsse: Reference uri = "# usertoken"/>
</Wsse: securitytokenreference>
</DS: keyinfo>
<Cipherdata>
<Ciphervalue> xdsfadwshdhrhdhcw0x... </ciphervalue>
</Cipherdata>
</Xenc: encrypteddata>
</S: getspecialdiscountedbookingforpartnersresponse>
SOAP-ENV: Body>
SOAP-ENV: envelope>

Note

The order in which ds: Signature and xenc: encrypteddata appear in wsse: Security determines the order of encryption and signature. DS: Signature indicates that the signature is encrypted first, and signature is then encrypted. Encryption and signature are usually adopted.

We are familiar with most of the elements, while the wsse: userNameToken and the wsse: securitytokenreference sub-elements in DS: Signature and xenc: encrypteddata are unfamiliar.
 
We know that keys (symmetric or asymmetric) are used to ensure the integrity and confidentiality of messages, and wsse is used in their respective DS: keyinfo sub-elements: securitytokenreference refers to the security token (userNameToken) first defined in the soap head ). It can be seen that security token is the basis to ensure the integrity and confidentiality of the message, and the key is also a sign of the identity of the user. Therefore, the security token containing the key information is also the basis for identity authentication. Based on the introduction of XML Signature and XML encryption, the introduction of WS-Security will focus on security token.