InfoCenter Home >
4: Developing applications >
4.8: Web services - an overview >
4.8.4: Securing SOAP services >
4.8.4.2: SOAP signature components
4.8.4.2: SOAP signature components
An overview of the SOAP signature architecture is illustrated in the figure below.
Using the SOAP transport hook, you can plug-in the security components:
- signer
- verifier with logging capability
The transport hook is called the EnvelopeEditor.
A PluggableEnvelopeEditor is also provided, which allows you to plug
in your security components.
As illustrated, the EnvelopeEditor is encapsulated in the SOAPTransport on the client side.
On the server side, EnvelopeEditor is encapsulated in RPC/MessageRouterServlet.
This means the same components can be used on either side.
When a client application sends a request, the request is signed and transmitted to the server.
At the server side, the request is verified and delivered to a server application or, in the case of a RPC, to a Java object.
The response is processed in the same manner.
The verifier component also has a logging function to log the verified messages in a file.
Signatures and verifier components are configurable. You can specify encryption, digest message algorithm, certificate path
policy, and other security technologies.
There are two signature components:
Signature Header Handler (SHH)
The Signature Header Handler is a XML-based configuration file, which enables:
- Template for <SignedInfo> (for customizing references, sign/hash algorithms, C14N algorithms, optional timestamp)
- Template for <KeyInfo> (for customizing the public key such as X.509 certificate)
Verification Header Handler (VHH)
The Verification Header Handler is a XML-based configuration file, which enables:
- Configurable policy (required scope of signature, trusted root, certstore, certpathchecker) (more sophisticated policy such as timestamp validation may not be included in 2/15 deliverable)
- Exit for Logging (additional application-specific verification) A reference implementation of logging component is also provided.
The digital signature configuration can be changed by editing the configuration for the following components:
SOAP Security-related Files
The following table provides
an inventory of the SOAP security elements contained in the
SOAP security samples module (soapsec.war).
a quick reference for SOAP security topics.
Path |
Contents |
Description |
/installedApps/soapsamples.ear/soapsec.war |
Web-INF, conf, key, log, etc. |
Home of the soap security servlets |
/installedApps/soapsamples.ear/soapsec.war/WEB-INF |
web.xml |
Servlet configuration file for SOAP security samples |
/installedApps/soapsamples.ear/soapsec.war/conf |
config files |
Configuration files for envelope editors and signature components |
/installedApps/soapsamples.ear/soapsec.war/key |
SOAPclient SOAPserver |
See article Keystore files
for more information.
|
/installedApps/soapsamples.ear/soapsec.war/logs |
Log files |
Logs generated during security exchange |
/installedApps/soapsamples.ear/ServerSamplesCode/src/<service_name> |
server side samples |
Source for both the non-secure and secure
samples |
/installedApps/soapsamples.ear/ClientCode/nt_bat |
scripts to run client samples |
Batch files for invoking the client side
samples to interact with the server-side
services |
/installedApps/soapsamples.ear/ClientCode/unix_scripts |
scripts to run client samples |
Batch files for invoking the client side
samples to interact with the server-side
services |
/installedApps/soapsamples.ear/ClientCode/data |
data files used by samples |
|
/installedApps/soapsamples.ear/ClientCode/src |
client side samples source |
|
/lib |
soap.jar, soap-sec.jar,
ws-soap-ext.jar |
Location of all jar files |
|
|