You can secure the SOAP messages, without using policy sets for configuration, by using the Web Services Security APIs (WSS API). To configure parts to be signed for the request generator (client side) bindings, use the WSSSignPart API to protect the integrity of messages and to configure the digest and transform algorithm methods. The WSSSignPart API is part of the com.ibm.websphere.wssecurity.wssapi.signature package.
Either you can use the WSS API or you can configure the policy sets by using the administrative console to configure the signing information. To secure SOAP messages using the signing information, you must complete one of the following tasks:
WebSphere® Application Server uses the signing information for the default generator to sign parts of the message, and uses XML digital signature with existing digest and transform algorithms (for example, SHA1 or TRANSFORM_EXC_C14N).
The signing information specifies the integrity constraints that are applied to generated messages. The signed parts are used to protect the integrity of messages. You can specify the signed parts to add for message integrity protection.
The following table shows the required signed parts when the digital signature security constraint (integrity) is defined:
Signed parts | Description |
---|---|
keyword | Adds signed parts using keywords. WebSphere Application
Server supports the following keywords for signed parts:
|
xpath | Adds the required signed parts by using an XPath expression. |
header | Adds the header, specified by QName, as a signed part. |
timestamp | Adds a WSSTimestamp object as a signed part. If specified, the timestamp information specifies when the message is generated and when it expires. |
Different message parts can be specified in the message protection for request on the generator side. WSSSignPart allows for adding a transform algorithm, setting a digest method, setting objects as targets, specifying whether an element, and the signed parts, such as: the SOAP body, the WS-Addressing header, and timestamp information.
For signing information, certain default behaviors occur. The simplest way to use the WSSSignPart API is to use the default behavior (see the example code). The signed parts default behaviors include:
Signature decisions | Default behavior |
---|---|
Which SOAP message parts to sign | WebSphere Application Server supports the following SOAP message parts to be signed and used for message protection:
|
Which digest method to use | Sets the digest algorithm method. The digest method algorithm that is specified within the <DigestMethod> element is used in the <SigningInfo> element. WebSphere Application Server supports the
following pre-configured digest methods:
|
Which transform algorithms to use | Adds the transform method. The transform algorithm
is specified within the <Transform> element and specifies the
transform algorithm for the signature. WebSphere Application Server supports the following pre-configured transform algorithms:
|
The following example provides sample code that uses all of methods that are defined in the WSSSignPart API:
// Get the message context Object msgcontext = getMessageContext(); // Generate the WSSFactory instance (step: a) WSSFactory factory = WSSFactory.getInstance(); // Generate WSSGenerationContext instance (step: b) WSSGenerationContext gencont = factory.newWSSGenerationContext(); // Generate callback handler X509GenerateCallbackHandler callbackHandler = new X509GenerateCallbackHandler "", "dsig-sender.ks", "jks", "client".toCharArray(), "soaprequester", "client".toCharArray(), "CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP", null); // Generate the security token used to the signature (step: c) SecurityToken token = factory.newSecurityToken(X509Token.class, callbackHandler); // Generate WSSSignature instance (step: d) WSSSignature sig = factory.newWSSSignature(token); // Set the part specified by WSSSignPart (step: e) WSSSignPart sigPart = factory.newWSSSignPart(); // Set the part specified by WSSSignPart (step: f) sigPart.setSignPart(WSSSignature.BODY); // Set the digest method specified by WSSSignPart (step: g) sigPart.setDigestMethod(WSSSignPart.SHA256); // Set the transform method specified by WSSSignPart (step: h) sigPart.setTransformMethod(WSSSignPart.TRANSFORM_STRT10); // Add the part specified by WSSSignPart (step: i) sig.addSignPart(sigPart); // Add the WSSSignature to the WSSGenerationContext (step: j) gencont.add(sig); // Generate the WS-Security header (step: k) gencont.process(msgcontext);
Use the WSSVerifyPart API or configure policy sets using the administrative console to verify the signed parts on the consumer side.
In this information ...Related tasks
Related reference
| IBM Redbooks, demos, education, and more(Index) |