Encryption and signing provide two kinds of protection: confidentiality and integrity, respectively. The WS-SecurityPolicy protection assertions are used to specify which parts of a message are subject to protection. Details of the protection mechanisms, on the other hand, are specified separately in the relevant binding policy (see xSpecifying an AsymmetricBinding Policy, Specifying a SymmetricBinding Policy, and Transport Layer Message Protection).
The protection assertions described here are really intended to be used in combination with SOAP security, because they apply to features of a SOAP message. Nonetheless, these policies can also be satisfied by a transport binding (such as HTTPS), which applies protection to the entire message, rather than to specific parts.
A protection assertion must be applied to a message policy
subject (see Message policy subject). In
other words, it must be placed inside a wsdl:input, wsdl:output,
or wsdl:fault element in a WSDL binding. For example, given the protection
policy with ID,
MutualCertificate10SignEncrypt_IPingService_header_Input_policy, you could
apply the policy to a wsdl:input message part as follows:
<wsdl:operation name="header">
<soap:operation soapAction="http://InteropBaseAddress/interop/header" style="document"/>
<wsdl:input name="headerRequest">
<wsp:PolicyReference
URI="#MutualCertificate10SignEncrypt_IPingService_header_Input_policy"/>
<soap:header message="i0:headerRequest_Headers" part="CustomHeader" use="literal"/>
<soap:body use="literal"/>
</wsdl:input>
...
</wsdl:operation>The following WS-SecurityPolicy protection assertions are currently supported by Fuse Services Framework:
SignedPartsEncryptedParts
The following WS-SecurityPolicy protection assertions are not supported by Fuse Services Framework:
SignedElementsEncryptedElementsContentEncryptedElementsRequiredElementsRequiredParts
The SignedParts element has the following syntax:
<sp:SignedParts xmlns:sp="..." ... > <sp:Body />? <sp:Header Name="xs:NCName"? Namespace="xs:anyURI" ... />* <sp:Attachments />? ... </sp:SignedParts>
The EncryptedParts element has the following syntax:
<sp:EncryptedParts xmlns:sp="..." ... > <sp:Body/>? <sp:Header Name="xs:NCName"? Namespace="xs:anyURI" ... />* <sp:Attachments />? ... </sp:EncryptedParts>
Example 6.6 shows a policy that combines
two protection assertions: a signed parts assertion and an encrypted parts assertion. When
this policy is applied to a message part, the affected message bodies are signed and
encrypted. In addition, the message header named CustomHeader is
signed.
Example 6.6. Integrity and Encryption Policy Assertions
<wsp:Policy wsu:Id="MutualCertificate10SignEncrypt_IPingService_header_Input_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
<sp:Header Name="CustomHeader" Namespace="http://InteropBaseAddress/interop"/>
</sp:SignedParts>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>This element specifies that protection (encryption or signing) is applied to the body
of the message. The protection is applied to the entire message body:
that is, the soap:Body element, its attributes, and its content.
This element specifies that protection is applied to the SOAP header specified by the
header's local name, using the Name attribute, and namespace, using the
Namespace attribute. The protection is applied to the
entire message header, including its attributes and its
content.
 |  |  |
 |
