+

Search Tips   |   Advanced Search

Web Services Addressing security considerations


It is essential that communications using Web Services Addressing (WS-Addressing) are adequately secured and that a sufficient level of trust is established between the communicating parties. You can achieve secure communications through the signing of WS-Addressing message-addressing properties and the encryption of endpoint references.

Perform these actions for both the supported addressing namespaces, http://www.w3.org/2005/08/addressing and http://schemas.xmlsoap.org/ws/2004/08/addressing, even if we intend to use only one of those namespaces.

 

Signing of WS-Addressing message-addressing properties

You can use an assembly tool to specify the message-addressing properties, and therefore the WS-Addressing message elements, that require signing, or that require signature verification on inbound requests. The receiver of the message might rely on the presence of this verifiable signature to determine that the outbound message originated from a trusted source. Similarly, the lack of a verifiable signature that is associated with the specified inbound message addressing properties causes the rejection of the message with a SOAP fault.

 

Encryption of endpoint references

We can encrypt endpoint references as part of the SOAP header or SOAP body. Alternatively, we can remove the need for encryption by not including sensitive information in the address or reference parameters properties of the endpoint reference.

 

Use of the synchronous message exchange pattern

This method applies to JAX-WS applications only.

If we do not secure the WS-Addressing information in the SOAP message using one or more of the previous methods, and you do not have WS-Security enabled, the ReplyTo and FaultTo elements of the SOAP message could be used to send messages to a third party, potentially taking part in a Denial of Service attack. To prevent such attacks, apply a WS-Addressing policy type and configure it to specify synchronous messaging only. You should also enable WS-Policy so that this requirement is communicated to clients.



 

Related concepts


Web Services Addressing support

 

Related tasks


Set the WS-Addressing policy