You can secure the SOAP messages, without using policy sets for configuration, by using the Web services security APIs (WSS API). To configure decrypted parts for the response consumer (client side) bindings, use the WSSDecryptPart API to define and add to the listing of elements in the decrypted part. WSSDecryptPart is an interface that is part of the com.ibm.websphere.wssecurity.wssapi.decryption package.
You can use either the WSS APIs or configure the policy sets using the administrative console to configure and add new encrypted parts. To secure SOAP messages using the WSSDecryptPart APIs, you must configure the decrypted parts for the response consumer bindings.
Confidentiality settings require that confidentiality constraints be applied to generated messages. These constraints include specifying which message parts within the generated message must be encrypted and decrypted, and which message parts to attach encrypted elements to.
The WSSDecryptPart API specifies information related to decryption and sets the decrypted parts that have been added for message confidentiality protection. Use the WSSDecryptPart to set the transform method and to specify the part to which the transform method is to be applied. Sets the transform method only if using SOAP with Attachments. The WSSDecryptPart is usually not needed except, in some case for tasks such as setting the transform method.
The decrypted parts displayed in the following table are used to protect the confidentiality of messages.
Decrypted parts | Description |
---|---|
keyword | Sets the decrypted part using keywords. The default decrypted parts that you can add using keywords are the BODY_CONTENT and SIGNATURE. WebSphere® Application Server supports the following keywords:
|
xpath | Sets the decrypted part by using an XPath expression. |
verification | Sets the WSSVerification component as a decrypted
part. The WSSVerification part is applicable only if the SOAP message contains a signature element. |
header | Sets the header, specified by QName, as a decrypted part. |
For decrypted parts, certain default behaviors occur. The simplest way to use the WSSDecryptPart API is to use the default behavior (see the example code).
WSSDecryptPart provides defaults for setting the transform algorithm, adding a transform method, setting objects as targets, whether an element, and the encrypted parts, such as: the SOAP body content and the signature.
Decryption decisions | Default behavior |
---|---|
Which SOAP message parts to decrypt using keywords | Specifies which keywords to use for the decrypted parts. WebSphere Application Server sets the following SOAP message parts by default for decryption:
|
Which transform algorithm to use (algorithm) | WebSphere Application Server does not specify any transform algorithm by default. Specify a transform method only if using SOAP with Attachments. |
After enabling decrypted parts for the response consumer (client side) binding, specify the generator and consumer tokens, if the security tokens have not already been specified.
In this information ...Related concepts
| IBM Redbooks, demos, education, and more(Index) |