Transport layer message protection refers to the message protection (encryption and signing) that is provided by the transport layer. For example, HTTPS provides encryption and message signing features using SSL/TLS. In fact, WS-SecurityPolicy does not add much to the HTTPS feature set, because HTTPS is already fully configurable using Spring XML configuration (see Configuring HTTPS). An advantage of specifying a transport binding policy for HTTPS, however, is that it enables you to embed security requirements in the WSDL contract. Hence, any client that obtains a copy of the WSDL contract can discover what the transport layer security requirements are for the endpoints in the WSDL contract.
If you use WS-SecurityPolicy to configure the HTTPS transport, you must also configure HTTPS security appropriately in the Spring configuration.
Example 6.1 shows how to configure a client to use
the HTTPS transport protocol. The sec:keyManagers element specifies the
client's own certificate, alice.pfx, and the sec:trustManagers
element specifies the trusted CA list. Note how the http:conduit element's
name attribute uses wildcards to match the endpoint address. For details of
how to configure HTTPS on the client side, see Configuring HTTPS.
Example 6.1. Client HTTPS Configuration in Spring
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:sec="http://cxf.apache.org/configuration/security" ... >
<http:conduit name="https://.*/UserNameOverTransport.*">
<http:tlsClientParameters disableCNCheck="true">
<sec:keyManagers keyPassword="password">
<sec:keyStore type="pkcs12" password="password" resource="certs/alice.pfx"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="pkcs12" password="password" resource="certs/bob.pfx"/>
</sec:trustManagers>
</http:tlsClientParameters>
</http:conduit>
...
</beans>
Example 6.2 shows how to configure a server to use
the HTTPS transport protocol. The sec:keyManagers element specifies the
server's own certificate, bob.pfx, and the sec:trustManagers
element specifies the trusted CA list. For details of how to configure HTTPS on the server
side, see Configuring HTTPS.
Example 6.2. Server HTTPS Configuration in Spring
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:sec="http://cxf.apache.org/configuration/security" ... >
<httpj:engine-factory id="tls-settings">
<httpj:engine port="9001">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="pkcs12" password="password" resource="certs/bob.pfx"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="pkcs12" password="password" resource="certs/alice.pfx"/>
</sec:trustManagers>
</httpj:tlsServerParameters>
</httpj:engine>
</httpj:engine-factory>
...
</beans>
A transport binding policy must be applied to an endpoint policy subject (see Endpoint policy subject). For example, given the transport
binding policy with ID, UserNameOverTransport_IPingService_policy, you could
apply the policy to an endpoint binding as follows:
<wsdl:binding name="UserNameOverTransport_IPingService" type="i0:IPingService"> <wsp:PolicyReference URI="#UserNameOverTransport_IPingService_policy"/> ... </wsdl:binding>
The TransportBinding element has the following syntax:
<sp:TransportBinding xmlns:sp="..." ... >
<wsp:Policy xmlns:wsp="...">
<sp:TransportToken ... >
<wsp:Policy> ... </wsp:Policy>
...
</sp:TransportToken>
<sp:AlgorithmSuite ... > ... </sp:AlgorithmSuite>
<sp:Layout ... > ... </sp:Layout> ?
<sp:IncludeTimestamp ... /> ?
...
</wsp:Policy>
...
</sp:TransportBinding>Example 6.3 shows an example of a transport binding
that requires confidentiality and integrity using the HTTPS transport (specified by the
sp:HttpsToken element) and a 256-bit algorithm suite (specified by the
sp:Basic256 element).
Example 6.3. Example of a Transport Binding
<wsp:Policy wsu:Id="UserNameOverTransport_IPingService_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
...
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>This element has a two-fold effect: it requires a particular type of security token and
it indicates how the transport is secured. For example, by specifying the
sp:HttpsToken, you indicate that the connection is secured by the HTTPS
protocol and the security tokens are X.509 certificates.
This element specifies the suite of cryptographic algorithms to use for signing and encryption. For details of the available algorithm suites, see Specifying the Algorithm Suite.
This element specifies whether to impose any conditions on the order in which security
headers are added to the SOAP message. The sp:Lax element specifies that no
conditions are imposed on the order of security headers. The alternatives to
sp:Lax are sp:Strict, sp:LaxTimestampFirst, or
sp:LaxTimestampLast.
If this element is included in the policy, the runtime adds a wsu:Timestamp
element to the wsse:Security header. By default, the timestamp is
not included.
This element specifies that the security runtime must be able to process Key Identifier token references, as specified in the WS-Security 1.0 specification. A key identifier is a mechanism for identifying a key token, which may be used inside signature or encryption elements. Fuse Services Framework requires this feature.
This element specifies that the security runtime must be able to process Issuer and Serial Number token references, as specified in the WS-Security 1.0 specification. An issuer and serial number is a mechanism for identifying a key token, which may be used inside signature or encryption elements. Fuse Services Framework requires this feature.
 |  |  |
 |
