Browse DevX
Sign up for e-mail newsletters from DevX


WSE 2.0: Get Your .NET Web Services Security Up to Spec : Page 4

Microsoft's Web Services Enhancements for .NET (WSE) 2.0 toolkit improves existing specifications such as WS-Security. This article examines its WS-Security improvements and shows how you can upgrade your Web services to WSE 2.0.




Building the Right Environment to Support AI, Machine Learning and Deep Learning

Signing SOAP Messages
When you assign only a UsernameToken to your SOAP message, you cannot assure that the message was not altered during transport. So what can you do to ensure an uncompromised message? You can sign your SOAP message with a XML digital signature. The signature itself is unique for your message. If someone changes only a bit of your message then the signature changes and the receiver of your message knows that the message was changed during transport. The signature itself contains a hash, which is computed with the entire content of your SOAP message. When the message arrives at the other endpoint, then the receiver also computes a hash with the content of the incoming message. This hash is then compared with the hash contained in the sent SOAP message. If both hashes match, the receiver knows that no one else has changed the message during the transport.

The following listing shows how you can sign a SOAP message with an X.509 certificate (This sample uses the function FindCertificateByKeyIdentifier to find the appropriate certificate with the requested ID):

public static string ClientBase64KeyID = "ODytWwSUPj9/uGbXZTAdEhhzxLE="; public void CallWebService() { PDCRegistrationProxy proxy = new PDCRegistrationProxy(); SoapContext requestContext = proxy. RequestSoapContext; X509SecurityToken token = GetSigningToken(); if (token == null) throw new Exception( "X.509 certificate couldnt be found!"); SignupRequest request = new SignupRequest(); request.Name = "Klaus Aschenbrenner"; request.Address = Microsoft One Way"; request.CreditCardNumber = "123"; requestContext.Security.Tokens.Add(token); requestContext.Security.Elements.Add( new Signature(token)); SignupResponse response = proxy.SignupForPDC(request); Console.WriteLine(response.RegistrationNumber); } private X509SecurityToken GetSigningToken() { X509SecurityToken token = null; X509CertificateStore store = X509CertificateStore. CurrentUserStore(X509CertificateStore.MyStore); if (!store.OpenRead()) return null; X509CertificateCollection certs = store.FindCertificateByKeyIdentifier (Convert.FromBase64String(ClientBase64KeyID)); if (certs.Count > 0) token = new X509SecurityToken( (X509Certificate(certs[0])); return token; }

When you use an XML digital signature to sign your SOAP message, then the section <wsse:Security> of the SOAP header contains a new section called <Signature>. This new section contains all the information needed for the XML digital signature. Here you will find the following three subsections:

  • <SignedInfo>
  • <SignatureValue>
  • <KeyInfo>

The section <SignedInfo> lists the elements that are signed in the SOAP message. For each element, a <Reference> section is created. The <Reference> section contains a unique ID (an URI) that refers to the signed element in the SOAP message. The following listing shows a simple example:

<Signature> <SignedInfo> ... <Reference Uri= "#Id-14c396ab-470c-4d08-857b-00a961fdd606"> ... </Reference> ... </SignedInfo> </Signature>

For each ID listed in the <Reference> section a corresponding element with the same ID exists within the SOAP message. Through this mechanism the WSE can create a link between the signature and the signed elements in the SOAP message. The section <SignatureValue> contains the value of the XML digital signature, and the section <KeyInfo> contains a reference to the SecurityToken that was used to sign the elements referred in the <SignedInfo> section.

When you use the default settings, the following elements of a SOAP message are signed:

  • soap:Envelope/soap:Header/wsa:To
  • soap:Envelope/soap:Header/wsa:Action
  • soap:Envelope/soap:Header/wsa:MessageID
  • soap:Envelope/soap:Header/wsa:From/wsa:Address
  • soap:Envelope/soap:Header/wsu:Timestamp/wsu:Created
  • soap:Envelope/soap:Header/wsu:Timestamp/wsu:Expires
  • soap:Envelope/soap:Body

As you can see, a lot of pieces of the SOAP message are signed. Therefore, the size of the message is also increasing. So you also can sign only specified elements of a SOAP message. To indicate these elements, the WSE provides the property SignatureOptions in the class Signature. With this property you can explicitly say which elements must be signed. Furthermore, you can also sign user-defined SOAP headers. On the server side the WSE checks if the signature of your SOAP message is correct. If it's not okay, the SOAP message is rejected through the WSE and is not processed further. The nice thing is that you don't have to write any code to check the signature on the server side--it's all done through the implementation of the WSE!

Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date