Genero Web Services does not entirely manage WS-Security. We provide XML APIs to help the development of Web Services with security.
This topic describes how to handle WS Security using the demo wssecuritymessage. It is a sample that you can adapt to your needs. The demo will be enhanced to illustrate new features that will be introduced to fully support WS-Security.
The demo involves three clients exchanging secured messages. Those clients post and retrieve messages on a secured server. Each client is identified by a certificate and sign their messages.
We assume that you are familiar with security concepts described in topic "Encryption and Authentication Concepts".
The demo assumes that all the clients have sent their public keys to the other clients and to the server. Those keys are kept in each host's (server or clients) keystore. The certificates included in this package are provided for demonstration purposes only. As they are distributed with this package, anybody using this product can decrypt the messages exchanged. Do NOT use them in production.
We provide 3 handlers to handle WS Security:
In this demo, a received message is processed:
The client consists in sending a message and retrieving messages clients sent to it.
Before that, create the client stub from the wsdl:
The client stub reference handlers:
For more details about client SOAP handlers see Client stub and handlers.
What to do when a message is sent:
What to do to retrieve messages:
The policy documentation can be found here.
The demo policy is divided into sections (make sure that the naming are correct and that the structure is understandable):
WS Security section begins with:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy ... />
It defines rules:
<wsp:ExactlyOne>
Only one assertion should be fulfilled.
<wsp:All>
All the assertions should be fulfilled.
There are 3 types of security binding:
The current demo uses the Asymmetric binding.
This section is divided in sub sections:
AsymmetricBinding is the root node for protection description.
<sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
InitiatorToken is the message sender (client)
Example
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V1Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
The token is used for the message signature from initiator to recipient and
encryption from recipient to initiator.
The initiator key is a X509 certificate that is always sent to the recipient.
sp:IncludeToken attribute indicates if the token must be included.
IncludeToken/AlwayToRecipient means each requests sent to the recipient must
include the initiator token. But the token should not be included in messages
from recipient to initiator.
The token must send its Thumbprint Reference.
The token must be of type X509 version 1 as defined in "X509 token profile 1.0".
What should be done in 4GL is decribed in Client Side
section.
To retrieve the thumbprint reference you can use the API function
xml.CryptoX509.getThumbprintSHA1
To create the x509 certificate use an appropriate tool like openssl.
RecipientToken is the message receiver (server)
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
The token is used for encryption from initiator to recipient, and for the
message signature from recipient to initiator.
The recipient key is a X509 certificate that is never sent to the initiator.
sp:IncludeToken attribute indicates if the token must be included.
IncludeToken/Never means the token should not be included in any requests
between the initiator and the recipient.
Instead the recipient ThumbprintRefrence is sent.
The token must be of type X509 version 3 as defined in "X509 token profile 1.0"
What should be done in 4GL is decribed in Server Side
section.
To retrieve the thumbprint reference you can use the API function
xml.CryptoX509.getThumbprintSHA1
To create the appropriate certificate use an appropriate tool like openssl.
AlgorithmSuite tells which algorithm is used to encrypt the data.
<sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDesRsa15 /> </wsp:Policy> </sp:AlgorithmSuite>
TripleDesRsa15 refers to key http://www.w3.org/2001/04/xmlenc#tripledes-cbc.
Layout describes the way information are added to the message header.
<sp:Layout> <wsp:Policy> <sp:Strict /> </wsp:Policy> </sp:Layout>
For example, with Strict layout, token that are included in the message must be declared before use. For more details on the rules to follow see the security policy specifications section 7.7.
PartsToSign
<sp:OnlySignEntireHeadersAndBody />
The assertion means if there is any signature on the header or the body it should be on the entire header and the entire body not on their child element.
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <sp:MustSupportRefKeyIdentifier /> <sp:MustSupportRefIssuerSerial />
The SignedParts section tells which part of the message should be signed.
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <sp:Body />
The section EncryptedParts tells which part of the message should be encrypted.
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <sp:Body />
Encrypt the body using the algorithm referenced in assertion AlgorithmSuite:
To find the exact syntax of security message read the specifications "Web Services Security: SOAP Message Security 1.0".