As a container for XML-based messages, SOAP 1.1 has responsibilities to support the use of XML-based security technologies.
As we mentioned in previous sections, to achieve end-to-end application security (encryption, authorization, and authentication), an exchange of digital credentials is required. Digital credentials come in different forms. The most commonly used credential is a digital certificate that conforms to a standard called X.509. Microsoft has recently announced plans to base its efforts on another type of credential called Kerberos tickets. In either case, these credentials hold information about the Holder, including information about the encryption methods being used and the Holder’s digital signature.
Microsoft and IBM have proposed extending the SOAP 1.1 specification to include a security-specific credentials header, which would standardize the use of multiple types of credentials within a SOAP message. The motivation for the extensions is to give SOAP-based services the ability to sign portions of the SOAP envelope.
To use XML Digital Signatures (or any digital signature) effectively in SOAP messages, you need a standardized way to incorporate them into the message.
To address this need, IBM and Microsoft have proposed a set of SOAP 1.1 header extensions that standardize the use of digital signatures. The goal is to enable SOAP envelopes to contain a digital signature that can be used to sign one or more elements contained within the envelope.
Here is an example of the use of the Digital Signature extensions for SOAP:[21]
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header> <SOAP-SEC:Signature xmlns:SOAP-SEC="http://schemas.xmlsoap.org/soap/security/2000-12" SOAP-ENV:actor="some-URI" SOAP-ENV:mustUnderstand="1"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2000/CR-xml-c14n-20001026"> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <ds:Reference URI="#Body"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/TR/2000/CR-xml-c14n-20001026"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>MC0CFFrVLtRlk=...</ds:SignatureValue> </ds:Signature> </SOAP-SEC:Signature> </SOAP-ENV:Header> <SOAP-ENV:Body xmlns:SOAP-SEC="http://schemas.xmlsoap.org/soap/security/2000-12" SOAP-SEC:id="Body"> <m:GetLastTradePrice xmlns:m="some-URI"> <m:symbol>IBM</m:symbol> </m:GetLastTradePrice> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
The XML Digital Signature is in its own namespace and is contained
within the <ds:Signature>
element. The wrapper for the signature
is <SOAP-SEC:Signature>
, which specifies the namespace for the
signature and the intended reader of the signature (denoted by the
<actor>
element). The
<actor>
can be a SOAP
intermediary or the final recipient of the message. The
SOAP-ENV:mustUnderstand
attribute tells
intermediaries that they must know how to understand this header
attribute or leave it unprocessed. The members of the XML Digital
Signature are described in the previous Section 10.2.
These extensions provide a standardized way to add digital signatures
to SOAP messages. By extending the SOAP header to use the
<SOAP-SEC:Signature>
extension, any web
service can add any type of digital signature to a SOAP message.
The proposal also allows enough flexibility to allow the use of XML
Encryption to secure portions of the SOAP messages. The addition of a
<SOAP-SEC:Encryption>
tag is still in the
works.