Web Services Addressing security
It is essential that communications that use Web Services Addressing (WS-Addressing) are adequately secured and that a sufficient level of trust is established between the communicating parties. We can achieve secure communications through the signing of WS-Addressing message-addressing properties and the encryption of endpoint references.
Undertake these actions for both the supported addressing namespaces, http://www.w3.org/2005/08/addressing and http://schemas.xmlsoap.org/ws/2004/08/addressing, even if we intend to use only one of those namespaces.
Signing of WS-Addressing message-addressing properties
Use an assembly tool to specify the message-addressing properties, and therefore the WS-Addressing message elements, that require signing, or that require signature verification on inbound requests. The receiver of the message might rely on the presence of this verifiable signature to determine that the outbound message originated from a trusted source. Similarly, the lack of a verifiable signature associated with the specified inbound message addressing properties causes the rejection of the message with a SOAP fault.
Encryption of endpoint references
We can encrypt endpoint references as part of the SOAP header or SOAP body. Alternatively, we can remove the need for encryption by not including sensitive information in the address or reference parameters properties of the endpoint reference.
Use of the synchronous message exchange pattern
This method applies to JAX-WS applications only.
If we do not secure the WS-Addressing information in the SOAP message using one or more of the previous methods, and we do not have WS-Security enabled, the ReplyTo and FaultTo elements of the SOAP message could be used to send messages to a third party, potentially taking part in a Denial of Service attack. To prevent such attacks, apply a WS-Addressing policy type and configure it to specify synchronous messaging only. We should also enable WS-Policy so that this requirement is communicated to clients.
Configure the WS-Addressing policy