SOAP signature components
This graphic illustrates the concept of a SOAP signature:
Use the SOAP transport hook, you can plug in security components, namely a signer and a verifier that has logging capability. The transport hook is called the EnvelopeEditor. A PluggableEnvelopeEditor is also provided, which allows you to plug in your security components. As illustrated, the EnvelopeEditor is encapsulated in the SOAPTransport on the client side. On the server side, EnvelopeEditor is encapsulated in RPC/MessageRouterServlet. This means the same components can be used on either the client or server.
See Envelope Editor for instructions on enabling and using this pluggable component.
When a client application sends a request, the request is signed and transmitted to the server. At the server, the request is verified and delivered to a server application or, in the case of a RPC, to a Java(TM) object. The response is processed in the same manner. The verifier component also has a logging function to log the verified messages in a file. Signatures and verifier components are configurable. You can specify encryption, digest message algorithm, certificate path policy, and other security technologies.
You can control and customize how the SOAP envelope performs the signature and verification processes through these components:
- Signature Header Handler
- The Signature Header Handler is a XML-based configuration file.
- It enables a template for <SignedInfo> (for customizing references, sign/hash algorithms, C14N algorithms, optional timestamp).
- It also enables a template for <KeyInfo> (for customizing the public key such as X.509 certificate)
- Verification Header Handler
- The Verification Header Handler is a XML-based configuration file.
- It enables configurable policy (required scope of signature, trusted root, certstore, certpathchecker).
- It enables exit for Logging (additional application specific verification) A reference implementation of logging component is also provided.