To secure SOAP messages on the consumer side, use the Web Services Security APIs (WSS API) to configure the verify parts information for the consumer binding on the response consumer (client side). You can specify which algorithm methods and which parts of the SOAP message are to be verified. Use the WSSVerifyPart API to change the digest method or the transform method. The WSSVerifyPart API is part of the com.ibm.websphere.wssecurity.wssapi.verification package.
To secure SOAP messages using the signing verification information, you must complete one of the following tasks:
WebSphere Application Server uses the signing information for the default consumer to verify the signed parts of the message. The WSSVerifyPart API is only supported on the response consumer (requester).
The following table shows the required verification parts when the digital signature security constraint (integrity) is defined:
Verify parts information | Description |
---|---|
keyword | Sets the verify parts using the following keywords:
The WS-Addressing headers are not decrypted but can be signed and verified. |
xpath | Sets the verify parts using an XPath expression. |
header | Sets the header, specified by QName, as a required verify part. |
For signature verification, certain default behaviors occur. The simplest way to use the WSSVerification API is to use the default behavior (see the example code). The default values are defined by the WSS API for the signing algorithm and the canonicalization algorithm, and the verify parts.
Verify parts decisions | Default behavior |
---|---|
Which keywords to specify | The different SOAP message parts to be signed and used for message protection. WebSphere Application Server supports the following keywords:
|
Which transform method to use (algorithm) | Adds the transform method. The transform algorithm is
specified within the <Transform> element and specifies the transform algorithm
for the signature. The default transform method is TRANSFORM_EXC_C14N. WebSphere Application Server supports the following pre-configured transform algorithms:
|
Which digest method to use (algorithm) | Sets the digest algorithm method. The digest method
algorithm that is specified within the <DigestMethod> element is used in
the <SigningInfo> element. The default digest method is SHA1. WebSphere
Application Server supports the following digest method algorithms:
|
The following example provides sample code for the WSSVerification API process for verifying the signing information in a SOAP message:
// Get the message context Object msgcontext = getMessageContext(); // Generate the WSSFactory instance (step: a) WSSFactory factory = WSSFactory.getInstance(); // Generate the WSSConsumingContext instance (step: b) WSSConsumingContext concont = factory.newWSSConsumingContext(); // Generate the certificate list String certpath = "c:/WebSphere/AppServer/etc/ws-security/samples/intca2.cer"; // The location of the X509 certificate file X509Certificate x509cert = null; try { InputStream is = new FileInputStream(certpath); CertificateFactory cf = CertificateFactory.getInstance("X.509"); x509cert = (X509Certificate)cf.generateCertificate(is); } catch(FileNotFoundException e1){ throw new WSSException(e1); } catch (CertificateException e2) { throw new WSSException(e2); } Set<Object> eeCerts = new HashSet<Object>(); eeCerts.add(x509cert); // create certStore java.util.List<CertStore> certList = new java.util.ArrayList<CertStore>(); CollectionCertStoreParameters certparam = new CollectionCertStoreParameters(eeCerts); CertStore cert = null; try { cert = CertStore.getInstance("Collection", certparam, "IBMCertPath"); } catch (NoSuchProviderException e1) { throw new WSSException(e1); } catch (InvalidAlgorithmParameterException e2) { throw new WSSException(e2); } catch (NoSuchAlgorithmException e3) { throw new WSSException (e3); } if(certList != null ){ certList.add(cert); } // generate callback handler (step: c) X509ConsumeCallbackHandler callbackHandler = new X509ConsumeCallbackHandler( "dsig-receiver.ks", "jks", "server".toCharArray(), certList, java.security.Security.getProvider("IBMCertPath") ); // Generate the WSSVerification instance (step: d) WSSVerification ver = factory.newWSSVerification(X509Token.class, callbackHandler); // Set the part to be specified by WSSVerifyPart (step: e) WSSVerifyPart verPart = factory.newWSSVerifyPart(); // Set the part to be specified by the keyword (step: f) verPart.setRequiredVerifyPart(WSSVerification.BODY); // Set the candidates for the digest method for verification (step: g) // DEFAULT : WSSVerifyPart.SHA1 verPart.addAllowedDigestMethod(WSSVerifyPart.SHA256); // Set the candidates for the transform method for verification (step: h) // DEFAULT : WSSVerifypart.TRANSFORM_EXC_C14N : String verPart.addAllowedTransform(WSSVerifyPart.TRANSFORM_STRT10); // Set WSSVerifyPart to WSSVerification (step: i) ver.addRequiredVerifyPart(verPart); // Add WSSVerification to WSSConsumingContext (step: j) concont.add(ver); //Validate the WS-Security header (step: k) concont.process(msgcontext);
In this information ...Related reference
| IBM Redbooks, demos, education, and more |