The WSIT Tutorial

Securing Operations and Messages

This section explains how to specify security mechanisms at the operation level and at the message level.

You can specify security mechanisms at the following levels:

This section covers the following topics:

ProcedureTo Specify Security at the Operation, Input Message, or Output Message Level

To specify security mechanisms at the level of the operation, input message, or output message, perform the following steps.

  1. Right-click the web service and select Web Service Attributes.

    The Web Service Attributes editor is displayed.

  2. Select Secure Service.

  3. Select a security mechanism.

    The following mechanisms do not support Input message level protection:

  4. Expand the operationOperation node.

  5. Expand the Operation node. It should look like Figure 7–7.

    Figure 7–7 Web Service Attributes Editor Page: Operation Level

    Screen shot of web service attributes editor page (operation
level)

  6. Expand the Operation section.

    The section will be grayed out if Secure Service is not selected.

  7. Select an option from the Transactions list to specify a level at which transactions will be secured.

    For this release, transactions will only use SSL for security. Transactions are discussed in Chapter 12, Using Atomic Transactions.

  8. Expand the Input Message section.

    This section will be grayed out if Secure Service is not selected.

  9. Specify the following options, as appropriate:

    • Authentication Token: Specifies which supporting token will be used to sign and/or encrypt the specified message parts. Options include Username, X509, SAML, Issued, or None. For further description of these options, read Supporting Token Options.

    • Signed: Specifies that the authentication token must be a signed, supporting token. A signed, supporting token is signed by the primary signature token and is part of primary signature.

    • Endorsing: Specifies that the authentication token must be endorsed. With an endorsing supporting token, the key represented by the token is used to endorse/sign the primary message signature.

    If both Signed and Endorsing are selected, the authentication token must be a signed, endorsing, supporting token. In this situation, the token is signed by the primary signature. The key represented by the token is used to endorse/sign the primary message signature.

  10. For the Input Message and/or Output Message, click the Message Parts button to specify which parts of the message need to be encrypted, signed, and/or required.

    See the following section for more information on the options in the Message Parts dialog.

    The Message Parts dialog appears. It should look like Figure 7–8.

    Figure 7–8 Web Service Attributes Editor Page: Message Parts

    Screen shot of web service attributes editor page (message
parts)

  11. Click in a checkbox to the right of the message part or element that you would like to sign, encrypt or require.

    • Select Sign to specify the parts or elements of a message that require integrity protection (digital signature).

    • Select Encrypt to specify the parts or elements of a message that require confidentiality (encryption).

    • Select Require to specify the set of parts and/or elements that a message must contain.

  12. Click Add Body to add a row for the message body.

    This will only be necessary if the row has been removed.

  13. Click Add Header to add a row for either a specific SOAP header part or for all SOAP header parts.

    This will only be necessary if the SOAP header row in question has been deleted. The header parts that are available to sign and/or encrypt before clicking the Add Header button include To (Addressing), From (Addressing), FaultTo (Addressing), ReplyTo (Addressing), MessageID (Addressing), RelatesTo (Addressing), and Action (Addressing). After clicking Add Header, and then clicking All Headers, you may also specify AckRequested (RM), SequenceAcknowledgement (RM), and Sequence (RM).

  14. There are no XPath elements displayed by default. Click Add XPath to add rows that enable you to specify signature and/or encryption for an XPath expression or a URI which indicates the version of XPath to use.

    By default, the Required field is selected. This is an editable field. Double-click the XPath row to specify the XPath expression or URI. Only one XPath element is allowed.


    Note –

    There is a limitation when specifying XPath elements. To use XPath elements, switch off Optimize Security manually by adding the disableStreamingSecurity policy assertion. For information on how to do this, refer to http://blogs.sun.com/venu/ for more information on disableStreamingSecurity.


  15. To remove an element, select it in the Message Part section, and then click Remove to remove it from message security.

  16. Click OK to save these settings.

Supporting Token Options

You can use one of the following options for supporting tokens: