SOAP Header Element "Security"

This section describes the SOAP header element 'Security' introduced in WS-Security as container to pass all security related information.

As a SOAP extension, WS-Security introduces a new SOAP header element called "Security", which is designed to act like a container to store all security related information for SOAP request and response messages. Here is how the "Security" element is defined in the WS-Security schema:

<xsd:element name="Security" type="wsse:SecurityHeaderType"/>
<xsd:complexType name="SecurityHeaderType">
   <xsd:sequence>
      <xsd:any processContents="lax" minOccurs="0" 
         maxOccurs="unbounded"/>
   </xsd:sequence>
   <xsd:anyAttribute namespace="##other" processContents="lax"/>
</xsd:complexType>

As you can see from the above schema, the "Security" element type is defined to be extensible to have any types of sub elements and attributes.

Inside the "Security" element, we can another new element called "UsernameToken" to pass a user name token for the purpose of message sender authentication. Here is how the "UsernameToken" element is defined in the WS-Security schema:

<xsd:element name="UsernameToken" type="wsse:UsernameTokenType"/>
<xsd:complexType name="UsernameTokenType">
   <xsd:sequence>
      <xsd:element name="Username" type="wsse:AttributedString"/>
      <xsd:any processContents="lax"
         minOccurs="0" maxOccurs="unbounded"/>
   </xsd:sequence>
   <xsd:attribute ref="wsu:Id"/>
   <xsd:anyAttribute namespace="##other" processContents="lax"/>
</xsd:complexType>

As you can see from the above schema, the "UsernameToken" element has a required subelement "UserName" and an optional attribute "wsu:Id" (defined in a separated namespace called "wsu"). The "UsernameToken" element is also designed to be extensible to have any other types of sub elements and attributes.

Here is our first SOAP message example using the "Security" SOAP header to pass a "Username" in the "UsernameToken" to identify the SOAP message sender:

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope/"
   xmlns:wsse="http://docs.oasis-open.org...wssecurity-secext-1.0.xsd"
   xmlns:yang="http://www.herongyang.com/">
   <soap:Header>
      <wsse:Security>
         <wsse:UsernameToken>
            <wsse:Username>Herong</wsse:Username>
         </wsse:UsernameToken>
      </wsse:Security>
   </soap:Header>
   <soap:Body>
      <yang:Greeting>Hello Herong!</yang:Greeting>
   </soap:Body>
</soap:Envelope>

Notes on this example:

In this example, the "WS-Security" standard is used in a very simple way to just pass a user name. See next section on how to add user password and other security protections.

Last update: 2014.

Table of Contents

 About This Book

 Introduction to Web Service

 Introduction to SOAP (Simple Object Access Protocol)

 SOAP Message Structure

 SOAP Message Transmission and Processing

 SOAP Data Model

 SOAP Encoding

 SOAP RPC Presentation

 SOAP Properties Model

 SOAP Message Exchange Patterns

 SOAP HTTP Binding

 SOAP Perl Implementations

 SOAP PHP Implementations

 SOAP Java Implementations

 Perl SOAP::Lite - SOAP Server-Client Communication Module

 Perl Socket Test Program for HTTP and SOAP

 Perl SOAP::Lite for GetSpeech SOAP 1.1 Web Service

 Perl SOAP::Lite 0.710 for SOAP 1.2 Web Services

 Perl SOAP::Lite 0.710 for WSDL

 PHP SOAP Extension Client Programs

 PHP SOAP Extension Server Programs

 Java Socket and HttpURLConnection for SOAP

 SAAJ - SOAP with Attachments API for Java

 SoapUI - SOAP Web Service Testing Tool

WS-Security - SOAP Message Security Extension

 What Is WS-Security (WSS)?

 Using XML Signature and Encryption with WSS

SOAP Header Element "Security"

 What Is WS-Security Username Token Profile?

 SoapUI Configuration for Username Token

 Generating Username Token with SoapUI

 Validating wsse:Password Digest String

 Password Digest Validation Program

 WS-Security X.509 Certificate Token

 Web Services and SOAP Terminology

 References

 PDF Printing Version