Security bindings

There are 3 types of security binding:

The current demo uses the Asymmetric binding.

Asymmetric Binding

This section is divided in sub sections:

AsymmetricBinding is the root node for protection description.

<sp:AsymmetricBindingxmlns:sp=
"http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">

InitiatorToken

InitiatorToken is the message sender (client)

For example:

<sp:InitiatorToken>
  <wsp:Policy>
    <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/
     2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
      <wsp:Policy>
        <sp:RequireThumbprintReference />
        <sp:WssX509V1Token10 />
      </wsp:Policy>
    </sp:X509Token>
  </wsp:Policy>
</sp:InitiatorToken>
Note: The value for the sp:IncludeToken attribute is one contiguous string with no spaces. For this document, it is shown covering two lines.

The token is used for the message signature from initiator to recipient and encryption from recipient to initiator.

The initiator key is a X509 certificate that is always sent to the recipient.

sp:IncludeToken attribute indicates if the token must be included.

IncludeToken/AlwayToRecipient means each requests sent to the recipient must include the initiator token. But the token should not be included in messages from recipient to initiator.

The token must send its Thumbprint Reference.

The token must be of type X509 version 1 as defined in "X509 token profile 1.0".

What should be done in BDL is decribed in Client Side section.

To retrieve the thumbprint reference you can use the API function xml.CryptoX509.getThumbprintSHA1

To create the x509 certificate use an appropriate tool like openssl.

RecipientToken

RecipientToken is the message receiver (server)

<sp:RecipientToken>
  <wsp:Policy>
    <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/
     ws/2005/07/securitypolicy/IncludeToken/Never">
      <wsp:Policy>
        <sp:RequireThumbprintReference />
        <sp:WssX509V3Token10 />
      </wsp:Policy>
    </sp:X509Token>
  </wsp:Policy>
</sp:RecipientToken>
Note: The value for the sp:IncludeToken attribute is one contiguous string with no spaces. For this document, it is shown covering two lines.
The token is used for encryption from initiator to recipient, and for the message signature from recipient to initiator.

The recipient key is a X509 certificate that is never sent to the initiator.

sp:IncludeToken attribute indicates if the token must be included.

IncludeToken/Never means the token should not be included in any requests between the initiator and the recipient.

Instead the recipient ThumbprintReference is sent.

The token must be of type X509 version 3 as defined in "X509 token profile 1.0"

What should be done in BDL is described in Server Side section. To retrieve the thumbprint reference you can use the API function xml.CryptoX509.getThumbprintSHA1. To create the appropriate certificate use an appropriate tool like openssl.

AlgorithmSuite

AlgorithmSuite tells which algorithm is used to encrypt the data.

<sp:AlgorithmSuite>
  <wsp:Policy>
    <sp:TripleDesRsa15 />
  </wsp:Policy>
</sp:AlgorithmSuite>

TripleDesRsa15 refers to key http://www.w3.org/2001/04/xmlenc#tripledes-cbc.

Layout

Layout describes the way information are added to the message header.

<sp:Layout>
  <wsp:Policy>
    <sp:Strict />
  </wsp:Policy>
</sp:Layout>

For example, with Strict layout, token that are included in the message must be declared before use. For more details on the rules to follow see the security policy specifications section 7.7.

Additional Assertations

PartsToSign

<sp:OnlySignEntireHeadersAndBody />

The assertion means if there is any signature on the header or the body it should be on the entire header and the entire body not on their child element.