Web services security signature confirmation is an enhanced XML
digital signature, and it is included in the Web services security standard.
XML digital signature is used for signing elements of the SOAP envelope.
As one of the extensions to the OASIS SOAP message security specification,
the signature confirmation element incorporates the elements that are needed
within the response message in order to confirm the signature that is contained
in a request message. XML digital signature and signature confirmation help
to provide more secure message-level security.
Web Services Security Version 1.0 for SOAP message security did not provide
any guidance on how to confirm mutual understanding of the request that prompted
this response. The SignatureConfirmation or <wsse11:SignatureConfirmation>
element has been added to the Web Services Security Version 1.1 specification.
The <wsse11:SignatureConfirmation> element ensures that the signature is
processed by the intended recipient and indicates that the responder has processed
the signature in the request. The signature confirmation element is part of
the updated Web Services Security standard and enables interoperability with
other vendors that support the Version 1.1 standards, such as Microsoft .NET
and DataPower.
Because of the stateless nature of Web services and due to different message
exchange patterns (MEPs), consider the following assumptions:
- Assume that session affinity is enabled if a cluster is enabled for the
clients that are running in WebSphere Application Server. When session affinity
is enabled, it implies that the response is sent back to the initiating client
of the server.
- Assume WS-Addressing is enabled for asynchronous message exchange patterns.
When WS-Addressing is enabled, it allows the runtime to relate the response
back to the request. An asynchronous response is sent back to the application
of the initiating WebSphere Application Server.
Syntax
The SignatureConfirmation element indicates
that the responder has processed the signature in the request. When this element
is not present in a response, the initiator interprets that the responder
is not compliant.
The format for the signature confirmation element
is as follows:
<wsse11:SignatureConfirmation wsu:Id="…" Value="…" />
where:
- wsu:Id
- The identifier that is used when referencing this element in the <ds:SignedInfo>
reference list of the signature of the associated response message. This attribute
is required so that unambiguous references are made to this <wsse11:SignatureConfirmation>
element.
- Value
- This attribute is optional and contains the contents of a <ds:SignatureValue>
that is copied from the associated request. If the request is unsigned, this
attribute must not be present. If this attribute is specified without a value
(empty), the initiator interprets this as incorrect behavior and processes
it accordingly. When this attribute is not present, the initiator interprets
this to mean that the response is based on a request that was not signed.
Configuration
To configure signature confirmation,
configure the policy file using the administrative console, and select Require
signature confirmation. To process Signature Confirmation correctly, the
initiator of the request needs to preserve the signatures during request generator
processing and later needs to retrieve the signatures for confirmation checks.
Response generation rules
Additional SOAP security
elements for the SOAP responder are used to confirm that the response is in
relationship to a particular request. The responder must include the contents
of the <ds:SignatureValue> element of the request signature as the value
of the @Value attribute of the <wsse11:SignatureConfirmation> element.
The
following response generation rules apply when using the SignatureConfirmation
policy assertion:
- If there are no signatures on the request, the response contains one SignatureConfirmation
element, without a value. For MEPs where there are multiple requests (all
without signatures) and one response, the response contains one SignatureConfirmation
element without a value.
- If there are signatures on the request, the response contains a SignatureConfirmation
element for each signature, with a value that matches the signature value
on the request. For MEPs where there are multiple requests, with at least
one containing a signature, and one response, the response contains a SignatureConfirmation
element for each signature that is found on the requests, with a value that
matches the signature value on the request.
- For MEPs where there is one request and multiple responses, each response
contains the appropriate SignatureConfirmation elements as noted in the first
and second bullets.
- If the SOAP request contains multiple signatures, the requester will find
all of the signature confirmation elements contained in the response, and
will check the values of the value fields of the signature confirmation elements
against the values of the signatures in the original SOAP request.