Add decrypted parts using the WSSDecryptPart API
We can secure the SOAP messages, without using policy sets for configuration, using the Web Services Security APIs (WSS API). To configure decrypted parts for the response consumer (client side) bindings, use the WSSDecryptPart API to define and add to the listing of elements in the decrypted part. WSSDecryptPart is an interface that is part of the com.ibm.websphere.wssecurity.wssapi.decryption package.
We can use either the WSS APIs or configure the policy sets using the console to configure and add new encrypted parts. To secure SOAP messages using the WSSDecryptPart APIs, configure the decrypted parts for the response consumer bindings.
Confidentiality settings require that confidentiality constraints be applied to generated messages. These constraints include specifying which message parts within the generated message must be encrypted and decrypted, and which message parts to attach encrypted elements to.
The WSSDecryptPart API specifies information related to decryption and sets the decrypted parts that have been added for message confidentiality protection. Use the WSSDecryptPart to set the transform method and to specify the part to which the transform method is to be applied. Sets the transform method only if using SOAP with Attachments. The WSSDecryptPart is usually not needed except, in some case for tasks such as setting the transform method.
The decrypted parts displayed in the following table are used to protect the confidentiality of messages.
Decrypted parts Description keyword Sets the decrypted part using keywords. The default decrypted parts that we can add using keywords are the BODY_CONTENT and SIGNATURE. WebSphere Application Server supports the following keywords:
- BODY_CONTENT
- SIGNATURE
- USERNAME_TOKEN
xpath Sets the decrypted part using an XPath expression. verification Sets the WSSVerification component as a decrypted part. The WSSVerification part is applicable only if the SOAP message contains a signature element.
header Sets the header, specified by QName, as a decrypted part. For decrypted parts, certain default behaviors occur. The simplest way to use the WSSDecryptPart API is to use the default behavior (see the example code).
WSSDecryptPart provides defaults for setting the transform algorithm, adding a transform method, setting objects as targets, whether an element, and the encrypted parts, such as: the SOAP body content and the signature.
Decryption decisions Default behavior Which SOAP message parts to decrypt using keywords Specifies which keywords to use for the decrypted parts. WebSphere Application Server sets the following SOAP message parts by default for decryption:
- WSSDecryption.BODY_CONTENT
- WSSDecryption.SIGNATURE
Which transform algorithm to use (algorithm) WAS does not specify any transform algorithm by default. Specify a transform method only if using SOAP with Attachments.
- To decrypt the SOAP message parts using the WSSDecryptPart API, first ensure that the application server is installed.
- The WSS API process using WSSDecryptPart follows these steps:
- Uses WSSFactory.getInstance() to get the WSS API implementation instance.
- Creates the WSSConsumingContext instance from the WSSFactory instance. Note that the WSSConsumingContext must always be called in a JAX-WS client application.
- Creates the SecurityToken from WSSFactory to configure decryption.
- Creates WSSDecryption from the WSSFactory instance using SecurityToken.
- Creates WSSDecryptPart from the WSSFactory instance. The default behavior of WSSDecryptPart is to assume that the body content and signature are encrypted.
- Add the parts to be decrypted and to be applied with the transform in WSSDecryptPart. WebSphere Application Server sets these encrypted parts by default for WSSDecryptPart: the BODY_CONTENT and SIGNATURE. After you add other decrypted parts, the default values are no longer valid. For example, if you call addDecryptPart(securityToken, false), only the security token is encrypted, and not the signature and body content. So to decrypt the security token, the signature, and the body content, we must call addDecryptPart(securityToken, false), addDecryptPart(WSSDecryption.SIGNATURE), and addDecryptPart(WSSDecryption.BODY_CONTENT).
- Sets the transform method.
- Add WSSDecryptPart to WSSDecryption.
- Add WSSDecryption to WSSConsumingContext.
- Calls WSSConsumingContext.process() with the SOAPMessageContext
Results
If there is an error condition when decrypting the message, a WSSException is provided. If successful, the API calls the WSSConsumingContext.process(), the WS-Security header is generated, and the SOAP message is now secured using Web Services Security.
What to do next
After enabling decrypted parts for the response consumer (client side) binding, specify the generator and consumer tokens, if the security tokens have not already been specified.
Related concepts
Encrypted SOAP headers
Related tasks
Configure decryption methods to protect message confidentiality using the WSS APIs Configure generator security tokens using the WSS API Configure the consumer security tokens using the WSS API Add encrypted parts using the WSSEncryptPart API