Locate XML Nodes

Overview

You can use the Locate XML Nodes filter to select a number of nodes from an XML message. The selected nodes are stored in a message attribute, which is typically used by a Signature or XML Encryption filter later in a policy.

The primary use of the Locate XML Nodes filter is when a series of policies is auto-generated by importing a Web services Description Language (WSDL) file that contains WS-Policy assertions. For example, because there may be many different WS-Policy assertions that describe elements in the message that must be signed, the Locate XML Nodes filter can be used to build up the node list of elements. Eventually, this node list is passed into the Sign Message filter (using a message attribute) so that a single Signature can be created that covers all the relevant parts.

However, you can also use this filter in similar cases where the message content that must be signed depends on content of the message. For example, a given policy runs a number of XPath expressions on a message where each XPath expression checks for a particular element. If that element is found, it can be marked as an element to be signed/encrypted by selecting that element in the Locate XML Nodes filter. This means that only a single Signature/XML Encryption filter must be configured, with each path feeding back into this filter and passing in the message attribute that contains the nodes set for each specific case.

Configuration

As explained earlier, nodes can be selected using any combination of Node Locations, XPaths, and/or Message Attributes. The following sections explain how to use each different mechanism and how to store the selected nodes in a message attribute.

Node Locations:

The simplest way to select nodes is using the pre-configured elements listed in the table on the Node Locations tab. The table is pre-populated with elements that are typically found in secured SOAP messages, including, the SOAP Body, WSSE Security Header, WS-Addressing headers, SAML Assertions, WS UsernameToken, and so on.

The elements selected here are found by traversing the SOAP message as a DOM and finding the element name with the correct namespace and with the selected index position (for example, the first Signature element from the http://www.w3.org/2000/09/xmldsig# namespace).

You can select the checkbox in the Name column of the table to select the corresponding node. You can select any number of Node Locations in this manner.

If you want to locate an element that is not already present in the table, you can add a new Node Location by clicking the Add button below the table. In the Locate XML Nodes dialog, enter the name of the element, its namespace, and its position in the message using the Element Name, Namespace, and Index fields.

If you wish to select this node for encryption purposes, you must select an appropriate Encryption Type. For example, WS-Security Policy mandates that when encrypting the SOAP Body that only its contents are encrypted and not the SOAP Body element itself. This means that the <xenc:EncryptedData> is inserted as a direct child of the SOAP Body element. In this case, you should select the Encrypt Node Content radio button.

However, in most other cases, it is typically the entire node that gets encrypted. For example, when encrypting a <wsse:UsernameToken>, the entire node should be encrypted. In this case, the <EncryptedData> element replaces the <UsernameToken> element. To encrypt the entire node in this manner, select the Encrypt Node radio button.

XPath Expressions:

In cases where you want to select nodes that exist under a more complicated element hierarchy, it may be necessary to use an XPath expression to locate the required nodes. The XPaths table is pre-populated with a number of XPath expressions to locate SOAP elements and common security elements, including SAML Assertions and SAMLP Responses.

To select an existing XPath expression, you can select the checkbox next to the Name of the appropriate XPath expression. You can select any number of XPath expressions in this manner.

To add a new XPath expression, click the Add button. You must enter a name for the XPath expression in the Name field. You can then enter the XPath expression in the XPath Expression field. For more information on configuring this dialog, see the Configuring XPath Expressions topic.

If you wish to select this node for encryption purposes, you must select an appropriate Encryption Type. For example, WS-Security Policy mandates that when encrypting the SOAP Body that only its contents are encrypted and not the SOAP Body element itself. This means that the <xenc:EncryptedData> is inserted as a direct child of the SOAP Body element. In this case, you should select the Encrypt Node Content radio button.

However, in most other cases, it is typically the entire node that gets encrypted. For example, when encrypting a <wsse:UsernameToken>, the entire node should be encrypted. In this case, the <EncryptedData> element replaces the <UsernameToken> element. To encrypt the entire node in this manner, select the Encrypt Node radio button.

Message Attribute:

Finally, you can also retrieve nodes that have been previously stored in a named message attribute. In such cases, another filter extracts nodes from the message and stores them in a named message attribute (for example, node.list). The Locate XML Nodes filter can then extract these nodes and store them in the message attribute configured in the Message Attribute Name field below.

Extract nodes from Selector Expression:

Specify whether to extract nodes from a specified selector expression (for example, ${node.list}). This setting is not selected by default. Using a selector enables settings to be evaluated and expanded at runtime based on metadata (for example, in a message attribute, Key Property Store (KPS), or environment variable). For more details, see Selecting configuration values at runtime.

Message Attribute in which to place list of nodes:

At runtime, the Locate XML Nodes filter locates and extracts the selected nodes from the message. It then stores them in the specified message attribute. For example, if you wish to sign the selected nodes, it would make sense to store the nodes in a message attribute called sign.nodeList, which would then be specified in the Sign Message filter. Alternatively, if you wish to encrypt the selected nodes, you could store the nodes in the encrypt.nodeList message attribute, which would then be specified in the XML Encryption Properties filter. The Message Attribute Name setting defaults to the node.list attribute.

Finally, you must specify whether you want the selected nodes to Overwrite any nodes that may already exist in the specified attribute, or if you want to Append to any existing nodes. You can also decide to Reset the contents of the message attribute. Select the appropriate radio button depending on your requirements.