Building XPath expressions for WS-Security
JAX-RPC and JAX-WS WS-Security configurations use XML-based SOAP messages to exchange information between applications. You can use an XPath expression to select specific elements in a SOAP message to sign or encrypt.
Before you begin
If you want to sign or encrypt elements in a Simple Object Access Protocol (SOAP) message, you can use XPath expressions to select the specific elements in the message. SOAP 1.1 and SOAP 1.2 messages differ in format and therefore require separate XPath expressions to select elements from each version of the message. The JAX-WS runtime environment supports both SOAP 1.1 and SOAP 1.2., so you must add two XPath expressions to the WS-Security policies for each element that you want to select: one for SOAP 1.1, and one for SOAP 1.2. The JAX-RPC runtime environment supports only SOAP 1.1, so you must add only the SOAP 1.1 version of the XPath expression to the WS-Security policies.
The differences in the format of SOAP 1.1 and SOAP 1.2 messages are highlighted in the following scenario of selecting the Timestamp element from SOAP messages in a JAX-WS WS-Security configuration.
The following example shows a SOAP 1.1 message with a Timestamp element.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="Timestamp-16" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2012-01-11T12:55:41.781Z</wsu:Created>
<wsu:Expires>2012-01-11T15:42:21.781Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
</soapenv:Envelope>
The following example shows a SOAP 1.2 message with a Timestamp element.
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp u:Id="uuid-169b0950-217e-48af-9057-ea832e0c7e19-14" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2009-09-08T14:08:36.224Z</wsu:Created>
<wsu:Expires>2009-09-08T14:13:36.224Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
</soapenv:Envelope>
The XPath expressions that select SOAP message elements are in the WS-Security default policies that contain configuration information for XML Digital Signature. In a JAX-WS WS-Security configuration, the XPath expressions appear in pairs, with one XPath expression for each supported version of SOAP.
The following example shows the XPath expressions that select the Timestamp element from the SOAP 1.1 and SOAP 1.2 messages in the previous examples. The first XPath expression selects Timestamp from the SOAP 1.1 message, and the second XPath expression selects Timestamp from the SOAP 1.2 message.
/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Envelope']
/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Header']
/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']
/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' and local-name()='Timestamp']
/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Envelope']
/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Header']
/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']
/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' and local-name()='Timestamp']
The first two lines of the XPath expressions for each version are different, and the last two lines of the XPath expressions are the same. The difference between the two XPath expressions is the namespace in the Envelope and Header elements. The namespaces in the XPath expressions correspond to the namespaces in the SOAP 1.1 and SOAP 1.2 messages.
About this task
This task describes how to build XPath expressions that are used to select an element to sign or encrypt in WS-Security. JAX-WS security configurations require separate XPath expressions for both SOAP 1.1 and SOAP 1.2, while JAX-RPC security configurations require XPath expressions only for SOAP 1.1.
If you want to select a SOAP message element that is commonly used in WS-Security, see option 1 to build XPath expressions using pre-built code segments. Otherwise, proceed to option 2 to learn how to build custom XPath expressions for other elements.

Procedure
Results
You built an XPath expression that selects an element of a SOAP 1.1 or SOAP 1.2 message header.
Example
/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Envelope']
/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Header']
/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']
/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='UsernameToken']