This morning I wrote about The GXA security specifications. I took some time this evening to read through the the specification and thought and example might be helpful. This example is quoted from the specification:
(001) <?xml version="1.0" encoding="utf-8"?> (002) <S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> (003) <S:Header> (004) <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/xx/secext"> (005) <wsse:UsernameToken wsu:Id="MyID"> (006) <wsse:Username>Zoe</wsse:Username> (007) <wsse:Nonce>FKJh...</wsse:Nonce> (008) <wsu:Created>2001-10-13T09:00:00Z</wsu:Created> (009) </wsse:UsernameToken> (010) <ds:Signature> (011) <ds:SignedInfo> (012) <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> (013) <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> (014) <ds:Reference URI="#MsgBody"> (015) <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> (016) <ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue> (017) </ds:Reference> (018) </ds:SignedInfo> (019) <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> (020) <ds:KeyInfo> (021) <wsse:SecurityTokenReference> (022) <wsse:Reference URI="#MyID"/> (023) </wsse:SecurityTokenReference> (024) </ds:KeyInfo> (025) </ds:Signature> (026) </wsse:Security> (027) </S:Header> (028) <S:Body wsu:Id="MsgBody"> (029) <tru:StockSymbol xmlns:tru="http://fabrikam123.com/payloads">QQQ </tru:StockSymbol> (030) </S:Body> (031) </S:Envelope>
There are a few things to remember as you look at the specification:
- The SOAP envelop has been extended to accomodate the security portions.
- The security standard makes use of XML Signature specification (ds namespace).
- The signature has to reference other elements of the message (e.g. what part the signature applies to) and uses the ID attribute in the wsu namespace to do this.
Deconstructing this example is fairly straightforward. The SOAP envelop header contains a single element: <wsse:Security...> which contains the UsernameToken and the digital signature information. The signature contains information about how the signature was computed, the reference to the message body (to indicate what portion the signature applies to), and the signature itself. Notice that the specification doesn't specify the method, it just allows it to be referenced so that both ends know what to do. If a better algorithm comes along next year, it can be used without any fuss. The final portion is the actual body of the message which, in this case, contains a stock symbol.
There's obviously much more to the spec than this simple example, but if you understand what's going on here, the rest is just options, alternatives, and details. Encrytion would be the similar, except it would reference the XML Excryption specification and some of the details would change. And, of course, the SOAP body would be gobbledygook.