This specification provides three main mechanisms: security token propagation, message integrity, and message confidentiality
一个典型的符合WS-Security标准的Soap消息
插入代码好像不能用了
(001) <?xml version="1.0" encoding="utf-8"?> (002) <S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> (003) <S:Header> (004) <m:path xmlns:m="http://schemas.xmlsoap.org/rp/"> (005) <m:action>http://fabrikam123.com/getQuote</m:action> (006) <m:to>http://fabrikam123.com/stocks</m:to> (007) <m:id>uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6</m:id> (008) </m:path> (009) <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> (010) wsse:UsernameToken Id="MyID"> (011) <wsse:Username>Zoe</wsse:Username> (012) </wsse:UsernameToken> (013) <ds:Signature> (014) <ds:SignedInfo> (015) <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> (016) <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> (017) <ds:Reference URI="#MsgBody"> (018) <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> (019) <ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue> (020) </ds:Reference> (021) </ds:SignedInfo> (022) <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> (023) <ds:KeyInfo> (024) <wsse:SecurityTokenReference> (025) <wsse:Reference URI="#MyID"/> (026) </wsse:SecurityTokenReference> (027) </ds:KeyInfo> (028) </ds:Signature> (029) </wsse:Security> (030) </S:Header> (031) <S:Body Id="MsgBody"> (032) <tru:StockSymbol xmlns:tru="http://fabrikam123.com/payloads"> QQQ </tru:StockSymbol> (033) </S:Body> (034) </S:Envelope>
很多Sercurity的东西都在SoapHeader中体现!
9-29行是标准中的Security Header,其包含了预定接收者所需的Security Infomation
10-12行是分配给该消息的Security Token,在本例中,客户端使用UsernameToken,并且没有在Soap消息中传送密码,所以我们可以假定通讯双方早先已经确定了认证的密码(It's a shared secret)
13-28行是对数字签名的完整描述,这个签名保证签名元素的完整性,该签名使用了XML Signature specification.在本例中,这个签名基于一个从User Password生成的Key当中
15行 specifies how to canonicalize (normalize) the data that is being signed
17-20行选择北签名的元素,17行指明了为<S:Body>的元素将被签名
22行specifies the signature value of the canonicalized form of the data that is being signed as defined in the XML Signature specification.
23-27行提供一个到那里去寻找分配给security token的签名的Uri的暗示(hint) ;
31-33行包含了对我们有用的Soap消息体