Contents
A given XML message can contain several XML signatures. Consider an XML document (for example, a company policy approval form) that must be digitally signed by a number of users (for example, department managers) before being submitted to the ultimate web service (for example, a company policy approval web service). Such a message will contain several XML signatures by the time it is ready to be submitted to the web service.
In such cases, where multiple signatures will be present within a given XML message, it is necessary to specify which signature the API Gateway should use in the validation process. For more information on validating XML signatures, see XML signature verification.
The API Gateway can extract the signature from an XML message using several different methods:
-
WS-Security block
-
SOAP message header
-
Advanced (XPath)
Select the most appropriate method from the Signature Location field. Your selection will depend on the types of SOAP messages that you expect to receive. For example, if incoming SOAP messages will contain an XML signature within a WS-Security block, you should choose this option from the list.
If the signature is present in a WS-Security block:
-
Select
WS-Security blockfrom the Signature Location field. -
Select a SOAP actor from the Select Actor/Role(s) field. Each actor uniquely identifies a separate WS-Security block. By selecting
Current actor/role onlyfrom the list, the WS-Security block with no actor is taken. -
In cases where there might be multiple signatures within the WS-Security block, it is necessary to extract one using the Signature Position field.
The following is a skeleton version of a message where the XML signature
is contained in the sample WS-Security block,
(soap-env:actor="sample"):
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"
s:actor="sample">
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" id="s1">
....
</dsig:Signature>
</wsse:Security>
</s:Header>
<s:Body>
<ns1:getTime xmlns:ns1="urn:timeservice">
</ns1:getTime>
</s:Body>
</s:Envelope>
If the signature is present in the SOAP header:
-
Select
SOAP message headerfrom the Signature Location field. -
If there is more than one signature in the SOAP header, then it is necessary to specify which signature the API Gateway should use. Specify the appropriate signature by setting the Signature Position field.
The following is an example of an XML message where the XML signature is contained within the SOAP header:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" id="s1">
....
</dsig:Signature>
</s:Header>
<s:Body>
<ns1:getTime xmlns:ns1="urn:timeservice">
</ns1:getTime>
</s:Body>
</s:Envelope>
Finally, an XPath expression can be used to locate the signature.
-
Select
Advanced (XPath)from the Signature Location field. -
Select an existing XPath expression from the list, or add a new one by clicking on the Add button. XPath expressions can also be edited or removed with the Edit and Remove buttons.
The default First Signature XPath expression takes the first signature from the SOAP header. The expression is as follows:
//s:Envelope/s:Header/dsig:Signature[1]
To edit this expression, click the Edit button to display the Enter XPath Expression dialog.
An example of a SOAP message containing an XML signature in the SOAP header is provided below. The following XPath expression instructs the API Gateway to extract the first signature from the SOAP header:
//s:Envelope/s:Header/dsig:Signature[1
Because the elements referenced in the expression (Envelope
and Signature) are prefixed elements,
you must define the namespace mappings for each of these elements as follows:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" id="s1">
....
</dsig:Signature>
</s:Header>
<s:Body>
<product xmlns="http://www.oracle.com">
<name>SOA Product*</name>
<company>Company</company>
<description>Web Services Security</description>
</product>
</s:Body>
</s:Envelope>
When adding your own XPath expressions, you must be careful to define any namespace mappings in a manner similar to that outlined above. This avoids any potential clashes that might occur where elements of the same name, but belonging to different namespaces are present in an XML message.
