Browse DevX
Sign up for e-mail newsletters from DevX


Supporting Digital Signatures Within SOAP Messages : Page 6

Historically, digital signatures have handled the job of data validation and encryption in Web services. But new developments in XML specifications are improving security in SOAP messaging. Get the details on the specification changes and find out how to use them to enhance Web services security.




Building the Right Environment to Support AI, Machine Learning and Deep Learning

Code Sample
The following code shows the processing that takes place within the invoke() method of an Apache Axis handler. This handler is the first in the chain of handlers. Assuming the signature verification succeeds, the next handler in the chain (aka the user service handler) is invoked. On failure, the target service is not invoked. The chain of handlers to invoke is specified as part of the SOAP engine configuration. In the case of Axis, it is part of the WSDD (Web Services Deployment Descriptor).

Message inMsg = msgContext.getRequestMessage(); Message outMsg = msgContext.getResponseMessage(); // Verify signed message Document doc = inMsg.getSOAPPart ().getAsSOAPEnvelope().getAsDocument(); String baseURI = "http://xml-security"; // must match baseURI in client code CachedXPathAPI xpathAPI = new CachedXPathAPI(); Element nsctx = doc.createElement("nsctx"); nsctx.setAttribute("xmlns:ds", Constants.SignatureSpecNS); Element signatureElem = (Element) xpathAPI.selectSingleNode(doc, "//ds:Signature", nsctx); // Check to make sure that the document claims to have been signed if (signatureElem == null) { // handle and log error return; } XMLSignature sig = new XMLSignature (signatureElem, baseURI); boolean verify = sig.checkSignatureValue (sig.getKeyInfo().getPublicKey()); if (verify == false) { // signature verification failed - //do not forward request to SOAP Service. }

Server SOAP Processing
As mentioned earlier, the SOAP Engine handles all requests that adhere to a specific URL. All of the existing SOAP engines on the market today either come as part of a pre-bundled J2EE application server and/or interoperate with leading application servers. The SOAP Engine parses the SOAP document, extracting the target service, which it maps to the appropriate Java class and method based on configuration. The Java method is invoked.

In most cases, if the SOAP Engine does not process the Signature header element, the Java class providing the Web Service will need to do so (or delegate the task to another component). This requires the service provider to know that the request came in as a SOAP request, which makes things more complicated. Alternatively, if you write a general SOAP handler, it should intercept all signed SOAP requests and extract the Signature header element and SOAP body element for signature verification purposes.

Once verification succeeds, the SOAP engine forwards (using SOAP Engine forwarding if available or a proprietary forwarding mechanism) the request to the target endpoint for processing. For example, in the code sample above, the SOAP Engine (Apache Axis) forwards the request to the next handler in the chain based on deployment descriptor information. If the SOAP engine has an interceptor for signature processing, make sure that this interceptor does the work rather than your handler.

When the appropriate method has been invoked and performs the requested action, it returns, unaware a SOAP client has invoked it. The SOAP Engine is responsible for bundling and encoding the response for submission to the client. The assumption here is that the response is not digitally signed.

Want To Ride the Wave?
The ability to digitally sign a SOAP document is definitely achievable and straightforward and leveraging the existing set of SOAP and Digital Signature toolkits, both open source and commercial, can save time and effort.

The emerging industry standards for SOAP, digital signatures, and their intersection can be an enormous asset to businesses, enabling developers to build standards-compliant applications that are interoperable with other toolkits. However, the pieces of the puzzle don't fit quite yet: the actual integration point between SOAP processing and digital signature processing, especially on the server-side, needs some work.

Should this functionality be provided by a SOAP or Digital Signature toolkit? There is currently one SOAP engine (WASP by Systinet) that does so. In the future, perhaps other SOAP engines and/or digital signature toolkits will also offer this feature. With a rapidly changing industry landscape, it is important to track the development and acceptance of the SOAP specification—especially the SOAP-DSIG note—as well as the emerging XKMS standard to ensure that your applications are interoperable and ready to ride the wave.

Brenda Coulson is a software architect at Cysive, Inc. where she works in Product Development on the Cymbio Interaction Server. Brenda is a Sun Certified Java Programmer and Java Developer, and holds a BS degree from James Madison University. Brenda may be reached at bcoulson@cysive.com.
Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date