WAS v8.5 > Develop applications > Develop web services - Security (WS-Security) > Develop applications that use Web Services Security > Develop message-level security for JAX-WS web services > Secure web services applications using the WSS APIs at the message level

Signature confirmation

Web Services Security signature confirmation is an enhanced XML digital signature, and it is included in the Web Services Security standard. XML digital signature is used for signing elements of the SOAP envelope.

As one of the extensions to the OASIS SOAP message security specification, the signature confirmation element incorporates the elements that are needed within the response message in order to confirm the signature contained in a request message. XML digital signature and signature confirmation help to provide more secure message-level security.

Web Services Security v1.0 for SOAP message security did not provide any guidance on how to confirm mutual understanding of the request that prompted this response. The SignatureConfirmation or <wsse11:SignatureConfirmation> element has been added to the Web Services Security v1.1 specification. The <wsse11:SignatureConfirmation> element ensures the signature is processed by the intended recipient and indicates the responder has processed the signature in the request. The signature confirmation element is part of the updated Web Services Security standard and enables interoperability with other vendors that support the v1.1 standards, such as Microsoft .NET.

Because of the stateless nature of web services and due to different message exchange patterns (MEPs), consider the following assumptions:


Syntax

The SignatureConfirmation element indicates the responder has processed the signature in the request. When this element is not present in a response, the initiator interprets the responder is not compliant.

The format for the signature confirmation element is as follows:

where:

wsu:Id

The identifier used when referencing this element in the <ds:SignedInfo> reference list of the signature of the associated response message. This attribute is required so that unambiguous references are made to this <wsse11:SignatureConfirmation> element.

Value

This attribute is optional and contains the contents of a <ds:SignatureValue> that is copied from the associated request. If the request is unsigned, this attribute must not be present. If this attribute is specified without a value (empty), the initiator interprets this as incorrect behavior and processes it accordingly. When this attribute is not present, the initiator interprets this to mean the response is based on a request that was not signed.


Configuration

To configure signature confirmation, configure the policy file using the dmgr console, and select Require signature confirmation. To process Signature Confirmation correctly, the initiator of the request needs to preserve the signatures during request generator processing and later needs to retrieve the signatures for confirmation checks.


Response generation rules

Additional SOAP security elements for the SOAP responder confirm the response is in relationship to a particular request. The responder must include the contents of the <ds:SignatureValue> element of the request signature as the value of the @Value attribute of the <wsse11:SignatureConfirmation> element.

The following response generation rules apply when using the SignatureConfirmation policy assertion:


Related concepts:

XML encryption


Related information:

Web Services Security: SOAP Message Security 1.1


+

Search Tips   |   Advanced Search