WS-Security Learning

This specification provides three main mechanisms: Security token propagation, message integrity, and Message Confidentiality

A typical WS-Security-compliant SOAP message

InsertCodeIt seems that it cannot be used.

(001) <? XML version = "1.0" encoding = "UTF-8"?> (002) <s: envelope xmlns: S = "http://www.w3.org/2001/12/soap-envelope" xmlns: DS = "http://www.w3.org/2000/09/xmldsig#"> (003) <s: Header> (004) <m: path xmlns: M = "http://schemas.xmlsoap.org/rp/"> (005) <m: Action> http://fabrikam123.com/getQuote </M: Action> (006) <m: To> http://fabrikam123.com/stocks </M: To> (007) <m: Id> UUID: 84b9f5d0-33fb-4a81-b02b-5b760641c1d6 </M: Id> (008) </M: path> (009) <wsse: Security xmlns: wsse = "http://schemas.xmlsoap.org/ws/2002/04/secext"> (010) wsse: userNameToken id = "myid"> (011) <wsse: username> Zoe </wsse: username> (012) </wsse: userNameToken> (013) <DS: Signature> (014) <DS: signedinfo> (015) <DS: canonicalizationmethod algorithm = "http://www.w3.org/2001/10/xml-exc-c14n#"/> (016) <DS: signaturemethod algorithm = "http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> (017) <DS: Reference uri = "# msgbody"> (018) <DS: digestmethod algorithm = "http://www.w3.org/2000/09/xmldsig#sha1"/> (019) <DS: digestvalue> lylsf0pi4wpu... </DS: digestvalue> (020) </DS: reference> (021) </DS: signedinfo> (022) <DS: signaturevalue> djbchm5gk... </DS: signaturevalue> (023) <DS: keyinfo> (024) <wsse: securitytokenreference> (025) <wsse: Reference uri = "# myid"/> (026) </wsse: securitytokenreference> (027) </DS: keyinfo> (028) </DS: Signature> (029) </wsse: Security> (030) </s: header> (031) <s: body id = "msgbody"> (032) <TRU: stocksymbol xmlns: Tru = "http://fabrikam123.com/payloads"> qqq </TRU: stocksymbol> (033) </S: Body> (034) </S: envelope>

Many sercurity items are reflected in the soapheader!

Line 9-29 is the standard security header, which contains the Security infomation required by the intended recipient

10-12 lines are the security tokens assigned to the message. In this example, the client uses userNameToken and does not transmit the password in the SOAP message, so we can assume that both parties have previously determined the authentication password (It's a shared secret)

Lines 13-28 provide a complete description of the digital signature. This signature ensures the integrity of the signature elements. The signature uses the XML Signature specification. in this example, the signature is based on a key generated from the user password.

15 rows specifies how to canonicalize (normalize) the data that is being signed

Select the North signature element in rows 17-20, and specify the <s: Body> element as the signature in Row 17.

22 rows specifies the signature value of the canonicalized form of the data that is being signed as defined in the XML Signature specification.

Line 23-27 provides a hint for finding the URI of the signature allocated to the security token );

Lines 31-33 contain SOAP message bodies that are useful to us.