Web services security signature confirmation is an enhanced
XML digital signature, and it is included in the Web services security
standard. XML digital signature is used for signing elements of the
SOAP envelope.
As one of the extensions to the OASIS SOAP message security specification,
the signature confirmation element incorporates the elements that
are needed within the response message in order to confirm the signature
that is contained in a request message. XML digital signature and
signature confirmation help to provide more secure message-level security.
Web Services Security Version 1.0 for SOAP message security did
not provide any guidance on how to confirm mutual understanding of
the request that prompted this response. The SignatureConfirmation
or <wsse11:SignatureConfirmation> element has been added to
the Web Services Security Version 1.1 specification. The <wsse11:SignatureConfirmation>
element ensures that the signature is processed by the intended recipient
and indicates that the responder has processed the signature in the
request. The signature confirmation element is part of the updated
Web Services Security standard and enables interoperability with other
vendors that support the Version 1.1 standards, such as Microsoft® .NET and DataPower®.
Because of the stateless nature of Web services and due to different
message exchange patterns (MEPs), consider the following assumptions:
- Assume that session affinity is enabled if a cluster is enabled
for the clients that are running in WebSphere® Application
Server. When session affinity is enabled, it implies that the response
is sent back to the initiating client of the server.
- Assume WS-Addressing is enabled for asynchronous message exchange
patterns. When WS-Addressing is enabled, it allows the run time to
relate the response back to the request. An asynchronous response
is sent back to the application of the initiating WebSphere Application
Server.
Syntax
The SignatureConfirmation element
indicates that the responder has processed the signature in the request.
When this element is not present in a response, the initiator interprets
that the responder is not compliant.
The format for the signature
confirmation element is as follows:
<wsse11:SignatureConfirmation wsu:Id="…" Value="…" />
where:
- wsu:Id
- The identifier that is used when referencing this element in the <ds:SignedInfo>
reference list of the signature of the associated response message.
This attribute is required so that unambiguous references are made
to this <wsse11:SignatureConfirmation> element.
- Value
- This attribute is optional and contains the contents of a <ds:SignatureValue>
that is copied from the associated request. If the request is unsigned,
this attribute must not be present. If this attribute is specified
without a value (empty), the initiator interprets this as incorrect
behavior and processes it accordingly. When this attribute is not
present, the initiator interprets this to mean that the response is
based on a request that was not signed.
Configuration
To configure signature confirmation,
configure the policy file using the administrative console, and select Require
signature confirmation. To process Signature Confirmation correctly,
the initiator of the request needs to preserve the signatures during
request generator processing and later needs to retrieve the signatures
for confirmation checks.
Response generation rules
Additional SOAP
security elements for the SOAP responder are used to confirm that
the response is in relationship to a particular request. The responder
must include the contents of the <ds:SignatureValue> element
of the request signature as the value of the @Value attribute of the <wsse11:SignatureConfirmation>
element.
The following response generation rules apply when
using the SignatureConfirmation policy assertion:
- If there are no signatures on the request, the response contains
one SignatureConfirmation element, without a value. For MEPs where
there are multiple requests (all without signatures) and one response,
the response contains one SignatureConfirmation element without a
value.
- If there are signatures on the request, the response contains
a SignatureConfirmation element for each signature, with a value that
matches the signature value on the request. For MEPs where there are
multiple requests, with at least one containing a signature, and one
response, the response contains a SignatureConfirmation element for
each signature that is found on the requests, with a value that matches
the signature value on the request.
- For MEPs where there is one request and multiple responses, each
response contains the appropriate SignatureConfirmation elements as
noted in the first and second bullets.
- If the SOAP request contains multiple signatures, the requester
will find all of the signature confirmation elements contained in
the response, and will check the values of the value fields of the
signature confirmation elements against the values of the signatures
in the original SOAP request.