The following code shows the processing that takes place within the invoke() method of an Apache Axis handler. This handler is the first in the chain of handlers. Assuming the signature verification succeeds, the next handler in the chain (aka the user service handler) is invoked. On failure, the target service is not invoked. The chain of handlers to invoke is specified as part of the SOAP engine configuration. In the case of Axis, it is part of the WSDD (Web Services Deployment Descriptor).
Server SOAP Processing
Message inMsg = msgContext.getRequestMessage();
Message outMsg = msgContext.getResponseMessage();
// Verify signed message
Document doc = inMsg.getSOAPPart
String baseURI = "http://xml-security";
// must match baseURI in client code
CachedXPathAPI xpathAPI = new CachedXPathAPI();
Element nsctx = doc.createElement("nsctx");
Element signatureElem = (Element) xpathAPI.selectSingleNode(doc,
// Check to make sure that the document claims to have been signed
if (signatureElem == null)
// handle and log error
XMLSignature sig = new XMLSignature
boolean verify = sig.checkSignatureValue
if (verify == false)
// signature verification failed -
//do not forward request to SOAP Service.
As mentioned earlier, the SOAP Engine handles all requests that adhere to a specific URL. All of the existing SOAP engines on the market today either come as part of a pre-bundled J2EE application server and/or interoperate with leading application servers. The SOAP Engine parses the SOAP document, extracting the target service, which it maps to the appropriate Java class and method based on configuration. The Java method is invoked.
In most cases, if the SOAP Engine does not process the Signature header element, the Java class providing the Web Service will need to do so (or delegate the task to another component). This requires the service provider to know that the request came in as a SOAP request, which makes things more complicated. Alternatively, if you write a general SOAP handler, it should intercept all signed SOAP requests and extract the Signature header element and SOAP body element for signature verification purposes.
Once verification succeeds, the SOAP engine forwards (using SOAP Engine forwarding if available or a proprietary forwarding mechanism) the request to the target endpoint for processing. For example, in the code sample above, the SOAP Engine (Apache Axis) forwards the request to the next handler in the chain based on deployment descriptor information. If the SOAP engine has an interceptor for signature processing, make sure that this interceptor does the work rather than your handler.
When the appropriate method has been invoked and performs the requested action, it returns, unaware a SOAP client has invoked it. The SOAP Engine is responsible for bundling and encoding the response for submission to the client. The assumption here is that the response is not digitally signed.
Want To Ride the Wave?
The ability to digitally sign a SOAP document is definitely achievable and straightforward and leveraging the existing set of SOAP and Digital Signature toolkits, both open source and commercial, can save time and effort.
The emerging industry standards for SOAP, digital signatures, and their intersection can be an enormous asset to businesses, enabling developers to build standards-compliant applications that are interoperable with other toolkits. However, the pieces of the puzzle don't fit quite yet: the actual integration point between SOAP processing and digital signature processing, especially on the server-side, needs some work.
Should this functionality be provided by a SOAP or Digital Signature toolkit? There is currently one SOAP engine (WASP by Systinet) that does so. In the future, perhaps other SOAP engines and/or digital signature toolkits will also offer this feature. With a rapidly changing industry landscape, it is important to track the development and acceptance of the SOAP specificationespecially the SOAP-DSIG noteas well as the emerging XKMS standard to ensure that your applications are interoperable and ready to ride the wave.