You can develop and secure a Java™ API
for XML Web Services (JAX-WS) web service by using a WS-Security policy
in the IBM® WebSphere® Application Server Liberty profile.
The examples are provided as a tutorial to explain the general steps
that are involved in developing and securing a web service in the
Liberty profile. Do not use the examples in a production environment.
Review your own security requirements to develop the Web Services
Description Language (WSDL) contract and the WS-Security policy for
protecting your web service applications.
About this task
This task describes how to develop a simple JAX-WS web
service application and secure the application by using a WS-Security
policy.
This task uses two keystores: enc-sender.jceks and enc-receiver.jceks.
These are WS-Security sample keystores that are shipped in the full
profile. If you have access to a full profile installation, you can
obtain the sample keystores from one the following directories:
profile_root/etc/ws-security/samples
WASHOME/profileTemplates/defaultdocuments/etc/ws-security/samples
If
you do not have access to a full profile, a zip file that contains
all of the WS-Security sample keystores can be found here:http://www-01.ibm.com/support/docview.wss?uid=swg21507405&aid=1
Procedure
- Create the WSDL contract and WS-Security policy. In
this sample, a WSDL contract with a WS-Security policy for a JAX-WS
web service provider application is created. The WS-Security policy
template called UsernameToken
with X509Token asymmetric message protection (mutual authentication) is
used. The client signs and encrypts the SOAP body and signs and encrypts
the UsernameToken in the request message. In the response message,
the provider signs and encrypts the SOAP body. For a complete description
of the security constraints in this example, see UsernameToken with X509Token
asymmetric message protection (mutual authentication).
- Create a WSDL contract for your service. The
following example shows a sample WSDL contract:
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:tns="http://com/ibm/was/wssample/sei/echo/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" name="WSSampleSei"
targetNamespace="http://com/ibm/was/wssample/sei/echo/">
<wsdl:types>
<xsd:schema targetNamespace="http://com/ibm/was/wssample/sei/echo/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<xsd:element name="echoStringResponse">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="echoResponse" type="xsd:string" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="echoStringInput">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="echoInput" type="xsd:string" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>
</wsdl:types>
<wsdl:message name="echoOperationRequest">
<wsdl:part element="tns:echoStringInput" name="parameter" />
</wsdl:message>
<wsdl:message name="echoOperationResponse">
<wsdl:part element="tns:echoStringResponse" name="parameter" />
</wsdl:message>
<wsdl:portType name="EchoServicePortType">
<wsdl:operation name="echoOperation">
<wsdl:input message="tns:echoOperationRequest" />
<wsdl:output message="tns:echoOperationResponse" />
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="Echo1SOAP" type="tns:EchoServicePortType">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
<wsdl:operation name="echoOperation">
<soap:operation soapAction="echoOperation" style="document" />
<wsdl:input>
<soap:body use="literal" />
</wsdl:input>
<wsdl:output>
<soap:body use="literal" />
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="Echo1Service">
<wsdl:port binding="tns:Echo1SOAP" name="Echo1ServicePort">
<soap:address location="http://localhost:8010/WSSampleSei/Echo1Service" />
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
- Add the namespaces that are needed to support the security
policy to your WSDL in the wsdl:definitions element. The
following example shows the added namespaces:
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
- Add the WS-Security policy fragment to your WSDL just
before the wsdl:binding element. The policy template from UsernameToken with X509Token
asymmetric message protection (mutual authentication) is used
in this example.
- Add a wsp:PolicyReference for your security policy to
your wsdl:binding element. The following example shows
the wsp:PolicyReference:
<wsp:PolicyReference URI="#AsymmetricX509MutualAuthenticationWithUnt" />
- Verify that your final WSDL looks like the example. The following example shows the final WSDL:
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:tns="http://com/ibm/was/wssample/sei/echo/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" name="WSSampleSei"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
targetNamespace="http://com/ibm/was/wssample/sei/echo/">
<wsdl:types>
<xsd:schema targetNamespace="http://com/ibm/was/wssample/sei/echo/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<xsd:element name="echoStringResponse">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="echoResponse" type="xsd:string" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="echoStringInput">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="echoInput" type="xsd:string" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>
</wsdl:types>
<wsdl:message name="echoOperationRequest">
<wsdl:part element="tns:echoStringInput" name="parameter" />
</wsdl:message>
<wsdl:message name="echoOperationResponse">
<wsdl:part element="tns:echoStringResponse" name="parameter" />
</wsdl:message>
<wsdl:portType name="EchoServicePortType">
<wsdl:operation name="echoOperation">
<wsdl:input message="tns:echoOperationRequest" />
<wsdl:output message="tns:echoOperationResponse" />
</wsdl:operation>
</wsdl:portType>
<wsp:Policy wsu:Id="AsymmetricX509MutualAuthenticationWithUnt">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedEncryptedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
<sp:RequireIssuerSerialReference />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
<sp:RequireIssuerSerialReference />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
<sp:EncryptSignature />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
<sp:RequireSignatureConfirmation />
</wsp:Policy>
</sp:Wss11>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:binding name="Echo1SOAP" type="tns:EchoServicePortType">
<wsp:PolicyReference URI="#AsymmetricX509MutualAuthenticationWithUnt" />
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
<wsdl:operation name="echoOperation">
<soap:operation soapAction="echoOperation" style="document" />
<wsdl:input>
<soap:body use="literal" />
</wsdl:input>
<wsdl:output>
<soap:body use="literal" />
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="Echo1Service">
<wsdl:port binding="tns:Echo1SOAP" name="Echo1ServicePort">
<soap:address location="http://localhost:8010/WSSampleSei/Echo1Service" />
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
- Create the web service application by using WSDL. This
step can be done before or after the WS-Security policy is added to
the WSDL. You can use supported tools to create a JAX-WS web service
application from the WSDL that was developed in the previous section.
The
following example shows a web service application that is developed
from the WSDL by using the Rational Application Developer (RAD) tool:
@javax.jws.WebService (endpointInterface="com.ibm.was.wssample.sei.echo.EchoServicePortType",
targetNamespace="http://com/ibm/was/wssample/sei/echo/",
serviceName="Echo1Service",
wsdlLocation = "WEB-INF/wsdl/Echo.wsdl",
portName="Echo1ServicePort")
public class Echo1SOAPImpl {
public EchoStringResponse echoOperation(EchoStringInput parameter) {
String strInput = (parameter == null ? "input_is_null" : parameter.getEchoInput() );
try {
com.ibm.was.wssample.sei.echo.EchoStringResponse strOutput = new EchoStringResponse();
strOutput.setEchoResponse( "Echo1SOAPImpl>>" + strInput );
return strOutput;
} catch (java.lang.Exception ex) {
ex.printStackTrace();
}
}
@WebService (name = "EchoServicePortType",
targetNamespace = "http://com/ibm/was/wssample/sei/echo/")
@SOAPBinding (parameterStyle = SOAPBinding.ParameterStyle.BARE)
@XmlSeeAlso ({
ObjectFactory.class
})
public interface EchoServicePortType {
@WebMethod (action = "echoOperation")
@WebResult (name = "echoStringResponse", targetNamespace = "http://com/ibm/was/wssample/sei/echo/", partName = "parameter")
public EchoStringResponse echoOperation(
@WebParam (name = "echoStringInput", targetNamespace = "http://com/ibm/was/wssample/sei/echo/", partName = "parameter")
EchoStringInput parameter);
}
The following code shows a managed web service
client that invokes a web service provider application:
@WebServlet("ClientServlet")
public class ClientServlet extends HttpServlet {
@WebServiceRef (value=Echo1Service.class, wsdlLocation="Echo.wsdl")
Echo1Service echo1Service;
public ClientServlet() {
super ();
}
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
processRequest(request, response);
}
protected void doPost(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
processRequest(request, response);
}
private void processRequest(HttpServletRequest req,
HttpServletResponse resp) throws ServletException, IOException {
String endpointURL = “http://localhost:8010/WSSampleSei/Echo1Service”;
Echo1ServicePortProxy proxy = new Echo1ServicePortProxy(echo1Service);
proxy._getDescriptor().setEndpoint(endpointURL);
echoParm = new ObjectFactory().createEchoStringInput();
echoParm.setEchoInput(“Hello”);
String retval = proxy.echoOperation(echoParm).getEchoResponse();
}
}
The following example shows the file structure
of the web service provider application war file:
WEB-INF/web.xml
WEB-INF/wsdl/Echo.wsdl
WEB-INF/classes/com/ibm/was/wssample/sei/echo/Echo1SOAPImpl.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoServicePortType.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringInput.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringResponse.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/ObjectFactory.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/package-info.class
The
following example shows the file structure of the web service client
application war file:
WEB-INF/web.xml
WEB-INF/wsdl/Echo.wsdl
WEB-INF/classes/com/ibm/was/wssample/client/ClientServlet.class
WEB-INF/classes/com/ibm/was/wssample/client/SampleClient.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/Echo1Service.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/Echo1ServicePortProxy.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringInput.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/EchoStringResponse.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/ObjectFactory.class
WEB-INF/classes/com/ibm/was/wssample/sei/echo/package-info.class
- Develop the callback handler. You must develop
a callback handler to retrieve the user name and keystore key passwords.
The user name password is used when you generate the UsernameTokens.
The keystore passwords are used for accessing the private keys in
the keystore. The callback handler must return plaintext passwords
and be packaged and installed as a Liberty profile's user feature.
The
following sample code illustrates a callback handler:
package com.ibm.ws.wssecurity.example.cbh;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import org.apache.ws.security.WSPasswordCallback;
public class SamplePasswordCallback implements CallbackHandler {
private Map<String, String> userPasswords = new HashMap<String, String>();
private Map<String, String> keyPasswords = new HashMap<String, String>();
public SamplePasswordCallback() {
// some example user passwords
userPasswords.put("user1", "user1pswd");
userPasswords.put("admin", "adminpswd");
// some example key passwords
keyPasswords.put("alice", "keypwsd");
keyPasswords.put("bob", "keypswd");
}
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
String id = pwcb.getIdentifier();
String pass = null;
switch (pwcb.getUsage()) {
case WSPasswordCallback.USERNAME_TOKEN_UNKNOWN:
case WSPasswordCallback.USERNAME_TOKEN:
pass = userPasswords.get(id);
pwcb.setPassword(pass);
break;
case WSPasswordCallback.SIGNATURE:
case WSPasswordCallback.DECRYPT:
pass = keyPasswords.get(id);
pwcb.setPassword(pass);
break;
}
}
}
}
The following example shows the
MANIFEST.MF file
that is packaged with the callback handler:
Manifest-Version: 1.0
Bnd-LastModified: 1359415594428
Build-Identifier: SNAPSHOT-Mon Jan 28 17:26:34 CST 2013
Bundle-Copyright: The Program materials contained in this file are IBM
copyright materials. 5724-I63, 5724-J08, 5724-H89, 5724-H88, 5655-W65
Copyright International Business Machines Corp. 1999, 2012 All Rights
Reserved * Licensed Materials - Property of IBM US Government Users
Restricted Rights - Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
Bundle-Description: An PasswordCallbackHandler; version=1.0.0
Bundle-ManifestVersion: 2
Bundle-Name: wssecuritycbh
Bundle-SymbolicName: com.ibm.ws.wssecurity.example.cbh
Bundle-Vendor: IBM
Bundle-Version: 1.0.0
Created-By: 1.6.0 (IBM Corporation)
Export-Package: com.ibm.ws.wssecurity.example.cbh;uses:="com.ibm.websphe
re.ras.annotation,javax.security.auth.callback";version="1.0.0"
Import-Package: com.ibm.websphere.ras,com.ibm.websphere.ras.annotation,c
om.ibm.ws.ffdc,javax.security.auth.callback,org.apache.ws.security;version="[1.6,2)"
Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version>=1.6))"
Tool: Bnd-2.1.0.20120920-170235
WS-TraceGroup: WSSecurity
- Create a JAR file with the callback handler and the
feature manifest file - wsseccbh-1.0.mf. Create a JAR file that is called SampleCbh.jar with
the following contents:
META-INF/MANIFEST.MF
com/ibm/ws/wssecurity/example/cbh/SamplePasswordCallback.class
The
following example shows the
wsseccbh-1.0.mf file:
Subsystem-ManifestVersion: 1
Subsystem-SymbolicName: wsseccbh-1.0; visibility:=public
Subsystem-Version: 1.0.0
Subsystem-Content: com.ibm.ws.wssecurity.example.cbh; version="[1,1.0.100)";
location:="lib/"; type="osgi.bundle"; start-phase:=APPLICATION_EARLY
Subsystem-Type: osgi.subsystem.feature
IBM-Feature-Version: 2
IBM-API-Package: com.ibm.ws.wssecurity.example.cbh; version="1.0"; type="internal"
- Copy the callback handler JAR file and the feature manifest
file under the Liberty profile's user directory. The following
example shows where the callback handler JAR file and the feature
manifest file are copied:
build.image/wlp/usr/extension/lib/SampleCbh.jar
build.image/wlp/usr/extension/lib/features/wsseccbh-1.0.mf
- Configure WS-Security in the Liberty profile server. Enable the WS-Security feature in the Liberty profile server
configuration file: server.xml and configure
WS-Security for the sample web service client and provider application
that is developed in the previous sections.
The following example
shows how to configure WS-Security:
<server>
<featureManager>
<feature>usr:wsseccbh-1.0</feature>
<feature>servlet-3.0</feature>
<feature>appSecurity-2.0</feature>
<feature>jsp-2.2</feature>
<feature>jaxws-2.2</feature>
<feature>wsSecurity-1.1</feature>
</featureManager>
<basicRegistry id="basic" realm="customRealm">
<user name="user1" password="user1pswd" />
<user name="user2" password="user2pswd" />
</basicRegistry>
<wsSecurityProvider id="default"
ws-security.callback-handler="com.ibm.ws.wssecurity.example.cbh.SamplePasswordCallback"
ws-security.signature.username="bob">
<signatureProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
org.apache.ws.security.crypto.merlin.keystore.alias="bob"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-receiver.jceks" />
<encryptionProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
org.apache.ws.security.crypto.merlin.keystore.alias="alice"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-receiver.jceks" />
</wsSecurityProvider>
<wsSecurityClient id="default"
ws-security.password="security"
ws-security.username="user1"
ws-security.callback-handler="com.ibm.ws.wssecurity.example.cbh.SamplePasswordCallback"
ws-security.encryption.username="alice">
<signatureProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
org.apache.ws.security.crypto.merlin.keystore.alias="alice"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-sender.jceks"/>
<encryptionProperties org.apache.ws.security.crypto.merlin.keystore.type="jceks"
org.apache.ws.security.crypto.merlin.keystore.password="storepswd"
org.apache.ws.security.crypto.merlin.keystore.alias="bob"
org.apache.ws.security.crypto.merlin.file="${server.config.dir}/enc-sender.jceks" />
</wsSecurityClient>
</server>
Results
You secured a web service by using a WS-Security policy.
Example
The sample WS-Security policy that was created in the first
step generates SOAP request and response messages that are similar
to the following messages.
The following example shows the SOAP
request message:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="X509-B1165B2A578AFFC7D613649595665924">...
</wsse:BinarySecurityToken>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2013-04-03T03:26:06.549Z</wsu:Created>
<wsu:Expires>2013-04-03T03:31:06.549Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-B1165B2A578AFFC7D613649595666705">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Bob,O=IBM,C=US</ds:X509IssuerName>
<ds:X509SerialNumber>24054675667389</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-4"></xenc:DataReference>
<xenc:DataReference URI="#ED-5"></xenc:DataReference>
<xenc:DataReference URI="#ED-6"></xenc:DataReference>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-6" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595666705"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-5"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595666705"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</wsse:Security>
</SOAP-ENV:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-1788936596">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-4"
Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595666705"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
The following example shows
a SOAP response message:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-7">
<wsu:Created>2013-04-03T03:26:07.286Z</wsu:Created>
<wsu:Expires>2013-04-03T03:31:07.286Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-B1165B2A578AFFC7D613649595673129">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Alice,O=IBM,C=US</ds:X509IssuerName>
<ds:X509SerialNumber>24054530212598</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-10"></xenc:DataReference>
<xenc:DataReference URI="#ED-11"></xenc:DataReference>
<xenc:DataReference URI="#ED-12"></xenc:DataReference>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-12"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595673129"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-11"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595673129"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</wsse:Security>
</SOAP-ENV:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-2035943749">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-10"
Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-B1165B2A578AFFC7D613649595673129"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
What to do next
You can now develop your own WSDL file and protect the web
service application by using a WS-Security policy that matches your
security requirements.