Signed parts methods using the WSSSignPart API
Configure the signed parts information for the generator binding using the WSS API. The algorithms include the digest and transform methods.
We can protect message integrity by configuring signed parts and key information. Integrity refers to digital signature while confidentiality refers to encryption. Integrity decreases the risk of data modification when you transmit data across a network.
Methods
Methods that are used for the signed parts include the:
- Digest method
- Sets the digest algorithm method.
- Transform algorithm
- Sets the transform algorithm method.
Digest algorithms
The digest method algorithm specified within the element is used in the element. WAS supports the following pre-configured algorithms:
Table 1. Signed parts digest methods
Digest method Description WSSSignPart.SHA1 (the default value) A URI of the digest algorithm, SHA1: http://www.w3.org/2000/09/xmldsig#sha1 WSSSignPart.SHA256 A URI of the digest algorithm, SHA256: http://www.w3.org/2001/04/xmlenc#sha256 WSSSignPart.SHA512 A URI of the digest algorithm, SHA256: http://www.w3.org/2001/04/xmlenc#sha512
Transform algorithms
The transform method algorithm specified within the element is used in the element. WAS supports the following pre-configured algorithms:
Table 2. Signed parts transform methods
Digest method Description WSSSignPart.TRANSFORM_ENVELOPED_SIGNATURE A URI of the transform algorithm, enveloped signature: http://www.w3.org/2000/09/xmldsig#enveloped-signature WSSSignPart.TRANSFORM_STRT10 A URI of the transform algorithm, STR-Transform: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform WSSSignPart.TRANSFORM_EXC_C14N (the default value) A URI of the transform algorithm, Exc-C14N: http://www.w3.org/2001/10/xml-exc-c14n# WSSSignPart.TRANSFORM_XPATH2_FILTER A URI of the transform algorithm, XPath2 filter: http://www.w3.org/2002/06/xmldsig-filter2
The transform algorithm is specified within the <Transform> element and specifies the transform algorithm for the signed part. For the WSS APIs, WAS does not support the following transform algorithms:
- http://www.w3.org/TR/1999/REC-xpath-19991116
- http://www.w3.org/2002/07/decrypt#XML
Example
The following example provides sample WSS API code for specifying the signature and signed parts, setting the signing key and adding the STR-Transform transform algorithm as signed parts:
//get the message context Object msgcontext = getMessageContext(); //generate WSSFactory instance WSSFactory factory = WSSFactory.getInstance(); //generate WSSGenerationContext instance WSSGenerationContext gencont = factory.newWSSGenerationContext(); //generate callback handler X509GenerateCallbackHandler callbackHandler = new X509GenerateCallbackHandler( "", "dsig-sender.ks", "jks", "client".toCharArray(), "soaprequester", "client".toCharArray(), "CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP", null); //generate the security token used to the signature SecurityToken token = factory.newSecurityToken(X509Token.class, callbackHandler); //generate WSSSignature instance WSSSignature sig = factory.newWSSSignature(token); //set the part specified by WSSSignPart WSSSignPart sigPart = factory.newWSSSignPart(); //set the part specified by WSSSignPart sigPart.setSignPart(WSSSignature.BODY); //set the digest method specified by WSSSignPart sigPart.setDigestMethod(WSSSignPart.SHA256); //set the transform method specified by WSSSignPart sigPart.addTransform(WSSSignPart.TRANSFORM_STRT10); //set the part specified by WSSSignPart sig.addSignPart(sigPart); //add the WSSSignature to the WSSGenerationContext gencont.add(sig); //generate the WS-Security header gencont.process(msgcontext);
Related tasks
Add signed parts using the WSSSignPart API
Verifying consumer signing information to protect message integrity using WSS APIs
Related
Digital signing methods using the WSSSignature API
Signature verification methods using the WSSVerification API
Choose the verify parts methods using the WSSVerifyPart API