You can develop and secure a Java™ API for XML Web
Services (JAX-WS) web service by using a WS-Security policy in the WebSphere® Application Server Liberty. The examples are provided as a tutorial
to explain the general steps that are involved in developing and securing a web service in Liberty. Do not use the examples in a production
environment. Review your own security requirements to develop the Web Services Description Language
(WSDL) contract and the WS-Security policy for protecting your web service applications.
About this task
This task describes how to develop a simple JAX-WS web service application and secure the
application by using a WS-Security policy.
This task uses two keystores: enc-sender.jceks and
enc-receiver.jceks. These are WS-Security sample keystores that are shipped in
WebSphere Application Server traditional. If you have access to a traditional installation, you can
obtain the sample keystores from one the following directories:
profile_root/etc/ws-security/samples
WASHOME/profileTemplates/defaultdocuments/etc/ws-security/samples
Procedure
- Create the WSDL contract and WS-Security policy. In this sample, a WSDL contract with a WS-Security policy for a JAX-WS web service provider
application is created. The WS-Security policy template called UsernameToken with X509Token asymmetric message
protection (mutual authentication) is used. The client signs and encrypts the SOAP body and
signs and encrypts the UsernameToken in the request message. In the response message, the provider
signs and encrypts the SOAP body. For a complete description of the security constraints in this
example, see UsernameToken with X509Token
asymmetric message protection (mutual authentication).
- Create a WSDL contract for your service. The following example shows a sample WSDL
contract:
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:tns="http://com/ibm/was/wssample/sei/echo/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" name="WSSampleSei"
targetNamespace="http://com/ibm/was/wssample/sei/echo/">
<wsdl:types>
<xsd:schema targetNamespace="http://com/ibm/was/wssample/sei/echo/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<xsd:element name="echoStringResponse">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="echoResponse" type="xsd:string" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="echoStringInput">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="echoInput" type="xsd:string" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>
</wsdl:types>
<wsdl:message name="echoOperationRequest">
<wsdl:part element="tns:echoStringInput" name="parameter" />
</wsdl:message>
<wsdl:message name="echoOperationResponse">
<wsdl:part element="tns:echoStringResponse" name="parameter" />
</wsdl:message>
<wsdl:portType name="EchoServicePortType">
<wsdl:operation name="echoOperation">
<wsdl:input message="tns:echoOperationRequest" />
<wsdl:output message="tns:echoOperationResponse" />
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="Echo1SOAP" type="tns:EchoServicePortType">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
<wsdl:operation name="echoOperation">
<soap:operation soapAction="echoOperation" style="document" />
<wsdl:input>
<soap:body use="literal" />
</wsdl:input>
<wsdl:output>
<soap:body use="literal" />
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="Echo1Service">
<wsdl:port binding="tns:Echo1SOAP" name="Echo1ServicePort">
<soap:address location="http://localhost:8010/WSSampleSei/Echo1Service" />
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
- Add the namespaces that are needed to support the security policy to your WSDL in the
wsdl:definitions element. The following example shows the added
namespaces:
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
- Add the WS-Security policy fragment to your WSDL just before the wsdl:binding element. The policy template from UsernameToken with
X509Token asymmetric message protection (mutual authentication) is used in this
example.
- Add a wsp:PolicyReference for your security policy to your wsdl:binding element. The following example shows the
wsp:PolicyReference:
<wsp:PolicyReference URI="#AsymmetricX509MutualAuthenticationWithUnt" />
- Verify that your final WSDL looks like the example. The following example shows the final
WSDL:
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:tns="http://com/ibm/was/wssample/sei/echo/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" name="WSSampleSei"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
targetNamespace="http://com/ibm/was/wssample/sei/echo/">
<wsdl:types>
<xsd:schema targetNamespace="http://com/ibm/was/wssample/sei/echo/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<xsd:element name="echoStringResponse">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="echoResponse" type="xsd:string" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="echoStringInput">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="echoInput" type="xsd:string" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>
</wsdl:types>
<wsdl:message name="echoOperationRequest">
<wsdl:part element="tns:echoStringInput" name="parameter" />
</wsdl:message>
<wsdl:message name="echoOperationResponse">
<wsdl:part element="tns:echoStringResponse" name="parameter" />
</wsdl:message>
<wsdl:portType name="EchoServicePortType">
<wsdl:operation name="echoOperation">
<wsdl:input message="tns:echoOperationRequest" />
<wsdl:output message="tns:echoOperationResponse" />
</wsdl:operation>
</wsdl:portType>
<wsp:Policy wsu:Id="AsymmetricX509MutualAuthenticationWithUnt">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedEncryptedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
<sp:RequireIssuerSerialReference />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
<sp:RequireIssuerSerialReference />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
<sp:EncryptSignature />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
<sp:RequireSignatureConfirmation />
</wsp:Policy>
</sp:Wss11>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:binding name="Echo1SOAP" type="tns:EchoServicePortType">
<wsp:PolicyReference URI="#AsymmetricX509MutualAuthenticationWithUnt" />
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
<wsdl:operation name="echoOperation">
<soap:operation soapAction="echoOperation" style="document" />
<wsdl:input>
<soap:body use="literal" />
</wsdl:input>
<wsdl:output>
<soap:body use="literal" />
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="Echo1Service">
<wsdl:port binding="tns:Echo1SOAP" name="Echo1ServicePort">
<soap:address location="http://localhost:8010/WSSampleSei/Echo1Service" />
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
- Create the web service application by using WSDL. This step can be done before or after the WS-Security policy is added to the WSDL. You can use
supported tools to create a JAX-WS web service application from the WSDL that was developed in the
previous section.
The following example shows a web service application that is developed from
the WSDL by using the Rational® Application Developer
(RAD)
tool:
@javax.jws.WebService (endpointInterface="com.ibm.was.wssample.sei.echo.EchoServicePortType",
targetNamespace="http://com/ibm/was/wssample/sei/echo/",
serviceName="Echo1Service",
wsdlLocation = "WEB-INF/wsdl/Echo.wsdl",
portName="Echo1ServicePort")
public class Echo1SOAPImpl {
public EchoStringResponse echoOperation(EchoStringInput parameter) {
String strInput = (parameter == null ? "input_is_null" : parameter.getEchoInput() );
try {
com.ibm.was.wssample.sei.echo.EchoStringResponse strOutput = new EchoStringResponse();
strOutput.setEchoResponse( "Echo1SOAPImpl>>" + strInput );
return strOutput;
} catch (java.lang.Exception ex) {
ex.printStackTrace();
}
}
@WebService (name = "EchoServicePortType",
targetNamespace = "http://com/ibm/was/wssample/sei/echo/")
@SOAPBinding (parameterStyle = SOAPBinding.ParameterStyle.BARE)
@XmlSeeAlso ({
ObjectFactory.class
})
public interface EchoServicePortType {
@WebMethod (action = "echoOperation")
@WebResult (name = "echoStringResponse", targetNamespace = "http://com/ibm/was/wssample/sei/echo/", partName = "parameter")
public EchoStringResponse echoOperation(
@WebParam (name = "echoStringInput", targetNamespace = "http://com/ibm/was/wssample/sei/echo/", partName = "parameter")
EchoStringInput parameter);
}
The
following code shows a managed web service client that invokes a web service provider
application:
@WebServlet("ClientServlet")
public class ClientServlet extends HttpServlet {
@WebServiceRef (value=Echo1Service.class, wsdlLocation="Echo.wsdl")
Echo1Service echo1Service;
public ClientServlet() {
super ();
}
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
processRequest(request, response);
}
protected void doPost(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
processRequest(request, response);
}
private void processRequest(HttpServletRequest req,
HttpServletResponse resp) throws ServletException, IOException {
String endpointURL = "http://localhost:8010/WSSampleSei/Echo1Service";
Echo1ServicePortProxy proxy = new Echo1ServicePortProxy(echo1Service);
proxy._getDescriptor().setEndpoint(endpointURL);
echoParm = new ObjectFactory().createEchoStringInput();
echoParm.setEchoInput("Hello");
String retval = proxy.echoOperation(echoParm).getEchoResponse();
}
}
The
following example shows the file structure of the web service provider application war
file:
WEB-INF/web.xml
WEB-INF/wsdl/Echo.wsdl
WEB-INF/classes/com/ibm/was/wssample/sei/echo/Echo1SOAPImpl.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoServicePortType.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringInput.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringResponse.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/ObjectFactory.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/package-info.class
The
following example shows the file structure of the web service client application war
file:
WEB-INF/web.xml
WEB-INF/wsdl/Echo.wsdl
WEB-INF/classes/com/ibm/was/wssample/client/ClientServlet.class
WEB-INF/classes/com/ibm/was/wssample/client/SampleClient.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/Echo1Service.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/Echo1ServicePortProxy.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringInput.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringResponse.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/ObjectFactory.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/package-info.class
- Develop the callback handler. You must develop a callback handler to retrieve the user name and keystore key passwords. The
user name password is used when you generate the UsernameTokens. The keystore passwords are used for
accessing the private keys in the keystore. The callback handler must return plaintext passwords and
be packaged and installed as a Liberty user
feature.
The following sample code illustrates a callback
handler:
package com.ibm.ws.wssecurity.example.cbh;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import org.apache.ws.security.WSPasswordCallback;
public class SamplePasswordCallback implements CallbackHandler {
private Map<String, String> userPasswords = new HashMap<String, String>();
private Map<String, String> keyPasswords = new HashMap<String, String>();
public SamplePasswordCallback() {
// some example user passwords
userPasswords.put("user1", "user1pswd");
userPasswords.put("admin", "adminpswd");
// some example key passwords
keyPasswords.put("alice", "keypwsd");
keyPasswords.put("bob", "keypswd");
}
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
String id = pwcb.getIdentifier();
String pass = null;
switch (pwcb.getUsage()) {
case WSPasswordCallback.USERNAME_TOKEN_UNKNOWN:
case WSPasswordCallback.USERNAME_TOKEN:
pass = userPasswords.get(id);
pwcb.setPassword(pass);
break;
case WSPasswordCallback.SIGNATURE:
case WSPasswordCallback.DECRYPT:
pass = keyPasswords.get(id);
pwcb.setPassword(pass);
break;
}
}
}
}
The
following example shows the
MANIFEST.MF file that is packaged with the callback
handler:
Manifest-Version: 1.0
Bnd-LastModified: 1359415594428
Build-Identifier: SNAPSHOT-Mon Jan 28 17:26:34 CST 2013
Bundle-Copyright: The Program materials contained in this file are IBM
copyright materials. 5724-I63, 5724-J08, 5724-H89, 5724-H88, 5655-W65
Copyright International Business Machines Corp. 1999, 2012 All Rights
Reserved * Licensed Materials - Property of IBM US Government Users
Restricted Rights - Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
Bundle-Description: An PasswordCallbackHandler; version=1.0.0
Bundle-ManifestVersion: 2
Bundle-Name: wssecuritycbh
Bundle-SymbolicName: com.ibm.ws.wssecurity.example.cbh
Bundle-Vendor: IBM
Bundle-Version: 1.0.0
Created-By: 1.6.0 (IBM Corporation)
Export-Package: com.ibm.ws.wssecurity.example.cbh;uses:="com.ibm.websphe
re.ras.annotation,javax.security.auth.callback";version="1.0.0"
Import-Package: com.ibm.websphere.ras,com.ibm.websphere.ras.annotation,c
om.ibm.ws.ffdc,javax.security.auth.callback,org.apache.ws.security;version="[1.6,2)"
Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version>=1.6))"
Tool: Bnd-2.1.0.20120920-170235
WS-TraceGroup: WSSecurity
- Create a JAR file with the callback handler and the feature manifest file -
wsseccbh-1.0.mf. Create a JAR file that is called SampleCbh.jar with the following
contents:
META-INF/MANIFEST.MF
com/ibm/ws/wssecurity/example/cbh/SamplePasswordCallback.class
The
following example shows the
wsseccbh-1.0.mf
file:
Subsystem-ManifestVersion: 1
Subsystem-SymbolicName: wsseccbh-1.0; visibility:=public
Subsystem-Version: 1.0.0
Subsystem-Content: com.ibm.ws.wssecurity.example.cbh; version="[1,1.0.100)";
location:="lib/"; type="osgi.bundle"; start-phase:=APPLICATION_EARLY
Subsystem-Type: osgi.subsystem.feature
IBM-Feature-Version: 2
IBM-API-Package: com.ibm.ws.wssecurity.example.cbh; version="1.0"; type="internal"
- Copy the callback handler JAR file and the feature manifest file under the Liberty user directory. The following example shows where the callback handler JAR file and the feature manifest file
are
copied:
build.image/wlp/usr/extension/lib/SampleCbh.jar
build.image/wlp/usr/extension/lib/features/wsseccbh-1.0.mf
- Configure WS-Security in the Liberty
server. Enable the WS-Security feature in the Liberty server configuration file:
server.xml and configure WS-Security for the sample web service client and
provider application that is developed in the previous sections.
The following example shows how
to configure
WS-Security:
<server>
<featureManager>
<feature>usr:wsseccbh-1.0</feature>
<feature>servlet-3.0</feature>
<feature>appSecurity-2.0</feature>
<feature>jsp-2.2</feature>
<feature>jaxws-2.2</feature>
<feature>wsSecurity-1.1</feature>
</featureManager>
<basicRegistry id="basic" realm="customRealm">
<user name="user1" password="user1pswd" />
<user name="user2" password="user2pswd" />
</basicRegistry>
<wsSecurityProvider id="default"
ws-security.callback-handler="com.ibm.ws.wssecurity.example.cbh.SamplePasswordCallback"
ws-security.signature.username="bob">
<signatureProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
org.apache.ws.security.crypto.merlin.keystore.alias="bob"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-receiver.jceks" />
<encryptionProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
org.apache.ws.security.crypto.merlin.keystore.alias="alice"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-receiver.jceks" />
</wsSecurityProvider>
<wsSecurityClient id="default"
ws-security.password="security"
ws-security.username="user1"
ws-security.callback-handler="com.ibm.ws.wssecurity.example.cbh.SamplePasswordCallback"
ws-security.encryption.username="alice">
<signatureProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
org.apache.ws.security.crypto.merlin.keystore.alias="alice"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-sender.jceks"/>
<encryptionProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
org.apache.ws.security.crypto.merlin.keystore.alias="bob"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-sender.jceks" />
</wsSecurityClient>
</server>
Results
You secured a web service by using a WS-Security policy.
Example
The sample WS-Security policy that was created in the first step generates SOAP request and
response messages that are similar to the following messages.
The following example shows the SOAP
request
message:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-B1165B2A578AFFC7D613649595665924">...
</wsse:BinarySecurityToken>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2013-04-03T03:26:06.549Z</wsu:Created>
<wsu:Expires>2013-04-03T03:31:06.549Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-B1165B2A578AFFC7D613649595666705">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Bob,O=IBM,C=US</ds:X509IssuerName>
<ds:X509SerialNumber>24054675667389</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-4"></xenc:DataReference>
<xenc:DataReference URI="#ED-5"></xenc:DataReference>
<xenc:DataReference URI="#ED-6"></xenc:DataReference>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-6" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595666705"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-5"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595666705"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</wsse:Security>
</SOAP-ENV:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-1788936596">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-4"
Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595666705"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
The
following example shows a SOAP response
message:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-7">
<wsu:Created>2013-04-03T03:26:07.286Z</wsu:Created>
<wsu:Expires>2013-04-03T03:31:07.286Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-B1165B2A578AFFC7D613649595673129">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Alice,O=IBM,C=US</ds:X509IssuerName>
<ds:X509SerialNumber>24054530212598</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-10"></xenc:DataReference>
<xenc:DataReference URI="#ED-11"></xenc:DataReference>
<xenc:DataReference URI="#ED-12"></xenc:DataReference>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-12"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595673129"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-11"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595673129"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</wsse:Security>
</SOAP-ENV:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-2035943749">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-10"
Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595673129"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
What to do next
You can now develop your own WSDL file and protect the web service application by using a
WS-Security policy that matches your security requirements.