InfoCenter Home >
4: Developing applications >
4.8: Web services - an overview >
4.8.4: Securing SOAP services >
4.8.4.2: SOAP signature components

4.8.4.2: SOAP signature components

An overview of the SOAP signature architecture is illustrated in the figure below.

Using the SOAP transport hook, you can plug-in the security components:

  • signer
  • verifier with logging capability

The transport hook is called the EnvelopeEditor. A PluggableEnvelopeEditor is also provided, which allows you to plug in your security components. As illustrated, the EnvelopeEditor is encapsulated in the SOAPTransport on the client side. On the server side, EnvelopeEditor is encapsulated in RPC/MessageRouterServlet. This means the same components can be used on either side.

When a client application sends a request, the request is signed and transmitted to the server. At the server side, the request is verified and delivered to a server application or, in the case of a RPC, to a Java object. The response is processed in the same manner. The verifier component also has a logging function to log the verified messages in a file. Signatures and verifier components are configurable. You can specify encryption, digest message algorithm, certificate path policy, and other security technologies.

Signature Components

There are two signature components:

Signature Header Handler (SHH)

    The Signature Header Handler is a XML-based configuration file, which enables:
    • Template for <SignedInfo> (for customizing references, sign/hash algorithms, C14N algorithms, optional timestamp)
    • Template for <KeyInfo> (for customizing the public key such as X.509 certificate)

Verification Header Handler (VHH)

    The Verification Header Handler is a XML-based configuration file, which enables:
    • Configurable policy (required scope of signature, trusted root, certstore, certpathchecker) (more sophisticated policy such as timestamp validation may not be included in 2/15 deliverable)
    • Exit for Logging (additional application-specific verification) A reference implementation of logging component is also provided.

The digital signature configuration can be changed by editing the configuration for the following components:

SOAP Security-related Files

The following table provides an inventory of the SOAP security elements contained in the SOAP security samples module (soapsec.war). a quick reference for SOAP security topics.

Path Contents Description
/installedApps/soapsamples.ear/soapsec.war Web-INF, conf, key, log, etc. Home of the soap security servlets
/installedApps/soapsamples.ear/soapsec.war/WEB-INF web.xml Servlet configuration file for SOAP security samples
/installedApps/soapsamples.ear/soapsec.war/conf config files Configuration files for envelope editors and signature components
/installedApps/soapsamples.ear/soapsec.war/key SOAPclient SOAPserver See article Keystore files for more information.
/installedApps/soapsamples.ear/soapsec.war/logs Log files Logs generated during security exchange
/installedApps/soapsamples.ear/ServerSamplesCode/src/<service_name> server side samples Source for both the non-secure and secure samples
/installedApps/soapsamples.ear/ClientCode/nt_bat scripts to run client samples Batch files for invoking the client side samples to interact with the server-side services
/installedApps/soapsamples.ear/ClientCode/unix_scripts scripts to run client samples Batch files for invoking the client side samples to interact with the server-side services
/installedApps/soapsamples.ear/ClientCode/data data files used by samples   
/installedApps/soapsamples.ear/ClientCode/src client side samples source   
/lib soap.jar, soap-sec.jar,
ws-soap-ext.jar
Location of all jar files
Go to previous article: Running the security samples Go to next article: Keystore files for testing purposes

 

 
Go to previous article: Running the security samples Go to next article: Keystore files for testing purposes