How to handle WS security / SOAP security standards |
There are 3 types of security binding:
The current demo uses the Asymmetric binding.
This section is divided in sub sections:
AsymmetricBinding is the root node for protection description.
<sp:AsymmetricBindingxmlns:sp= "http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
InitiatorToken is the message sender (client)
For example:
<sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/ 2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:RequireThumbprintReference /> <sp:WssX509V1Token10 /> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken>
The token is used for the message signature from initiator to recipient and encryption from recipient to initiator.
The initiator key is a X509 certificate that is always sent to the recipient.
sp:IncludeToken attribute indicates if the token must be included.
IncludeToken/AlwayToRecipient means each requests sent to the recipient must include the initiator token. But the token should not be included in messages from recipient to initiator.
The token must send its Thumbprint Reference.
The token must be of type X509 version 1 as defined in "X509 token profile 1.0".
What should be done in BDL is decribed in Client Side section.
To retrieve the thumbprint reference you can use the API function xml.CryptoX509.getThumbprintSHA1
To create the x509 certificate use an appropriate tool like openssl.
RecipientToken is the message receiver (server)
<sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ ws/2005/07/securitypolicy/IncludeToken/Never"> <wsp:Policy> <sp:RequireThumbprintReference /> <sp:WssX509V3Token10 /> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken>
The recipient key is a X509 certificate that is never sent to the initiator.
sp:IncludeToken attribute indicates if the token must be included.
IncludeToken/Never means the token should not be included in any requests between the initiator and the recipient.
Instead the recipient ThumbprintReference is sent.
The token must be of type X509 version 3 as defined in "X509 token profile 1.0"
What should be done in BDL is described in Server Side section. To retrieve the thumbprint reference you can use the API function xml.CryptoX509.getThumbprintSHA1. To create the appropriate certificate use an appropriate tool like openssl.
AlgorithmSuite tells which algorithm is used to encrypt the data.
<sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDesRsa15 /> </wsp:Policy> </sp:AlgorithmSuite>
TripleDesRsa15 refers to key http://www.w3.org/2001/04/xmlenc#tripledes-cbc.
Layout describes the way information are added to the message header.
<sp:Layout> <wsp:Policy> <sp:Strict /> </wsp:Policy> </sp:Layout>
For example, with Strict layout, token that are included in the message must be declared before use. For more details on the rules to follow see the security policy specifications section 7.7.
PartsToSign
<sp:OnlySignEntireHeadersAndBody />
The assertion means if there is any signature on the header or the body it should be on the entire header and the entire body not on their child element.