Share via


<protection> Element

Specifies the portions of the SOAP message that are signed, encrypted, or both.

<policies> Element
  <policy> Element (Policy)
    <kerberosSecurity> Element

<protection requestAction>
  <request signatureOptions encryptBody />
  <response signatureOptions encryptBody />
  <fault signatureOptions encryptBody />
</protection>

Attributes and Elements

Attributes

Attribute Description

requestAction

Optional attribute. Specifies the value of the WS-Addressing Action SOAP header or, when that is not present, the value of the SOAPAction HTTP header.

Child Elements

Element Description

<fault> Element

Optional element. Specifies the portions of SOAP faults sent to or from an endpoint that are signed, encrypted, or both.

<request> Element

Optional element. Specifies the portions of SOAP requests sent to or from an endpoint that are signed, encrypted, or both.

<response> Element

Optional element. Specifies the portions of SOAP responses sent to or from an endpoint that are signed, encrypted, or both.

Parent Elements

Element Description

<anonymousForCertificateSecurity> Element

Represents a turnkey security assertion that uses an X509SecurityToken security token to protect SOAP messages. The client is not authenticated. WS-Security 1.1 is required for this assertion.

<mutualCertificate10Security> Element

Represents a turnkey security assertion that uses X509SecurityToken security tokens to authenticate the client and protect SOAP messages. WS-Security 1.0 and 1.1 can be used with this assertion.

<kerberosSecurity> Element

Represents a turnkey security assertion that uses a KerberosToken security token to authenticate the client and protect SOAP messages.

<mutualCertificate11Security> Element

Represents a turnkey security assertion that uses X509SecurityToken security tokens to authenticate the client and protect SOAP messages. WS-Security 1.1 is required for this assertion.

<usernameForCertificateSecurity> Element

Represents a turnkey security assertion that uses an X509SecurityToken security token to protect SOAP messages. The client is authenticated using a UsernameToken security token. WS-Security 1.1 is required for this assertion.

<usernameOverTransportSecurity> Element

Represents a turnkey security assertion that authenticates the client using a UsernameToken security token. The SOAP message is not encrypted or digitally signed, so a secure transport should be used with this assertion. WS-Security 1.1 or 1.0 can be used with this assertion.

Remarks

A security assertion can have zero or more <protection> elements. Use more than one <protection> element to apply protection requirements on a per-operation basis using the requestAction attribute. Each of the <protection> elements must have a unique requestAction attribute unless the requestAction is omitted. Only one of the <protection> elements can omit the requestAction attribute, and that element defines the default protection requirements for the policy.

The <protection> element has similar functionality to the <MessageParts> element used in WSE 2.0 policy in that they both specify the portions of a SOAP message that are signed or encrypted. The <protection> element, however, is used to set the digital signature and encryption requirements for the three types of SOAP messages that are sent to or from an endpoint: SOAP requests, SOAP responses, and SOAP faults. The <MessageParts> element was used on a per-policy basis that may or may not apply to all three types of SOAP messages.

Example

The following code example demonstrates how to secure a SOAP message exchange using a KerberosToken security token. The code example defines a policy assertion named kerberosAuthenticationKerberosProtection that specifies that a KerberosToken security token is used to authenticate the client, digitally sign the SOAP message, and encrypt the <body> element of the SOAP message. The keys used to generate the digital signature and encrypt the <body> element are not the same keys, but rather are derived from the same key.

<policies>
  <extensions>
    <extension name="kerberosSecurity"
               type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="kerberos"
               type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader"
               type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </extensions>
  <policy name="kerberosAuthenticationKerberosProtection">
    <kerberosSecurity establishSecurityContext="false" signatureConfirmation="false" protectionOrder="SignBeforeEncrypting" deriveKeys="true">
      <token>
        <kerberos targetPrincipal="host/contoso4@contoso.com" impersonationLevel="Identification" />
      </token>
      <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
      </protection>
    </kerberosSecurity>
    <requireActionHeader />
  </policy>
</policies>

See Also

Reference

<request> Element
<response> Element
<fault> Element