Contents
A given XML message can contain several XML Signatures. Consider an XML document (for example, a company policy approval form) that must be digitally signed by a number of users (for example, department managers) before being submitted to the ultimate Web Service (for example, a company policy approval Web Service). Such a message will contain several XML Signatures by the time it is ready to be submitted to the Web Service.
In such cases, where multiple signatures will be present within a given XML message, it is necessary to specify which signature the API Gateway should use in the validation process.
The API Gateway can extract the signature from an XML message using several different methods. The signature can be extracted:
Select the most appropriate method from the Signature Location dropdown. Your selection will depend on the types of SOAP messages that you expect to receive. For example, if incoming SOAP messages will contain an XML Signature within a WS-Security block, you should choose this option from the dropdown.
If the signature is present in a WS-Security block:
-
Select WS-Security block from the Signature Location dropdown list.
-
Select a SOAP Actor from the Select Actor/Role(s) dropdown. Each Actor uniquely identifies a separate WS-Security block. By selecting Current actor only from the dropdown, the WS-Security block with no Actor will be taken.
-
In cases where there may be multiple signatures within the WS-Security block, it is necessary to extract one using the Signature Position field.
The following is a skeleton version of a message where the XML Signature
is contained in the sample WS-Security block,
(soap-env:actor="sample"):
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"
s:actor="sample">
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" id="s1">
....
</dsig:Signature>
</wsse:Security>
</s:Header>
<s:Body>
<ns1:getTime xmlns:ns1="urn:timeservice">
</ns1:getTime>
</s:Body>
</s:Envelope>
If the signature is present in the SOAP Header:
-
Select SOAP message header from the Signature Location dropdown list.
-
If there is more than one signature in the SOAP Header, then it is necessary to specify which signature the API Gateway should use. Specify the appropriate signature by setting the Signature Position field.
The following is an example of an XML message where the XML Signature is contained within the SOAP header:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" id="s1">
....
</dsig:Signature>
</s:Header>
<s:Body>
<ns1:getTime xmlns:ns1="urn:timeservice">
</ns1:getTime>
</s:Body>
</s:Envelope>
Finally, an XPath expression can be used to locate the signature.
-
Select Advanced (XPath) from the Signature Location dropdown list.
-
Select an existing XPath expression from the dropdown, or add a new one by clicking on the Add button. XPath expressions can also be edited or removed with the Edit and Remove buttons respectively.
The default First Signature XPath expression takes the first signature from the SOAP Header. The expression is as follows:
To edit this expression, click the Edit button to display the Enter XPath Expression dialog.
An example of a SOAP message containing an XML Signature in the SOAP header is provided below. The following XPath expression instructs the API Gateway to extract the first signature from the SOAP header:
Because the elements referenced in the expression (Envelope
and Signature) are prefixed elements,
you must define the namespace mappings for each of these elements as follows:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" id="s1">
....
</dsig:Signature>
</s:Header>
<s:Body>
<product xmlns="http://www.oracle.com">
<name>SOA Product*</name>
<company>Company</company>
<description>Web Services Security</description>
</product>
</s:Body>
</s:Envelope>
When adding your own XPath expressions, you must be careful to define any namespace mappings in a manner similar to that outlined above. This avoids any potential clashes that might occur where elements of the same name, but belonging to different namespaces are present in an XML message.
