<SecurityToken> Element

  • Article

Specifies security token requirements.

<policyDocument> Element
  <policies> Element
    <Policy> Element (WSE for Microsoft .NET) (1)
      <Confidentiality> Element
        <KeyInfo> Element (WSE for Microsoft .NET) (1)
          <policyDocument> Element
            <policies> Element
              <Policy> Element (WSE for Microsoft .NET) (1)
                <Integrity> Element
                  <TokenInfo> Element
                    <policyDocument> Element
                      <policies> Element
                        <Policy> Element (WSE for Microsoft .NET) (1)
                          <Confidentiality> Element
                            <KeyInfo> Element (WSE for Microsoft .NET) (1)
                              <SecurityToken> Element
                                <Claims> Element
                                  <BaseToken> Element
                                    <policyDocument> Element
                                      <policies> Element
                                        <Policy> Element (WSE for Microsoft .NET) (1)
                                          <Integrity> Element
                                            <TokenInfo> Element
                                              <SecurityToken> Element
                                                <Claims> Element
                                                  <BaseToken> Element

<SecurityToken wse:IdentityToken="true">
  <Claims>SecurityTokenSpecificRequirement</Claims>
  <TokenIssuer>TheTokenIssuer</TokenIssuer>
  <TokenType>TheTokenType</TokenType>
</SecurityToken>

Attributes and Elements

Attributes

Attribute Description

wse:IdentityToken

Optional attribute. Specifies whether the security token is to be used to encrypt the SOAP response.

Child Elements

Element Description

<Claims> Element

Optional element. Specifies security token specific requirements.

<TokenIssuer> Element (WSE for Microsoft .NET) (1)

Optional element. Specifies the name of the trusted source that issued the security token.

<TokenType> Element

Optional element. Specifies the security token type.

Parent Elements

Element Description

<BaseToken> Element

Specifies the base token for for a SecurityContextToken security token.

<KeyInfo> Element (WSE for Microsoft .NET) (1)

Specifies the requirements for security tokens used to encrypt SOAP messages.

<TokenInfo> Element

Specifies the requirements for security tokens used to sign SOAP messages.

Remarks

The only required child element of the <SecurityToken> element is the <TokenType> Element element, which specifies the security token type. For the list of supported security tokens, see <TokenType> Element. When the security token type is a security context token, use the <TokenIssuer> Element (WSE for Microsoft .NET) (1) element to specify the security token service.

Use the wse:IdentityToken attribute when you must encrypt SOAP responses using the security token that signed a portion of a SOAP request and there may be more than one security token that signed the SOAP message. To determine which security token must be used to encrypt the SOAP response, add the wse:IdentityToken attribute to the <SecurityToken> element to both the <Integrity> Element and <Confidentiality> Element elements. Adding the wse:IdentityToken attribute to a <SecurityToken> element within an <Integrity> Element assertion specifies that a security token that matches the integrity assertion is the identity token. When a SOAP request is received with a security token that matches the security token specified in the integrity assertion, policy sets the SoapContext.IdentityToken property to the matched security token. Adding the wse:IdentityToken attribute to a <SecurityToken> element within a <Confidentiality> Element element specifies to policy that SOAP responses must be encrypted using the security token set to the value of SoapContext.IdentityToken, which is the property for the SOAP request.

Note

WSE does not support the Usage attribute of the <SecurityToken> element.

Example

The following code example defines two policy assertions named SignBodyAndAddressingHeaders and x509-encrypt that require the <Body> element, timestamp header, and all WS-Addressing SOAP headers be signed using an X509SecurityToken with a subject of CN=WSE2QuickStartClient for SOAP requests and that SOAP responses be encrypted using the same security token, respectively.

Note

This code example is designed to demonstrate WSE features and is not intended for production use.

<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="https://schemas.microsoft.com/wse/2003/06/Policy">
  <mappings>
    <endpoint uri="http://www.cohowinery.com/Service1.asmx ">
      <operation requestAction="http://www.cohowinery.com/OrderWine">
        <!-- Soap requests must be signed.-->
        <request policy="#SignBodyAndAddressingHeaders" />
        <!-- SOAP responses must be encrypted. -->
        <response policy="#x509-encrypt"/>
        <!-- No policy for faults. -->
        <fault policy=""/>
      </operation>
    </endpoint>
  </mappings>
  <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsp:Policy wsu:Id="SignBodyAndAddressingHeaders" 
      xmlns:wsp="https://schemas.xmlsoap.org/ws/2002/12/policy"
      xmlns:wsa="https://schemas.xmlsoap.org/ws/2004/03/addressing"
      xmlns:wse="https://schemas.microsoft.com/wse/2003/06/Policy">
      <wsp:MessagePredicate
        Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
        wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wsp:Header(wsa:From) wse:Timestamp()
      </wsp:MessagePredicate>
      <wssp:Integrity wsp:Usage="wsp:Required"
        xmlns:wssp="https://schemas.xmlsoap.org/ws/2002/12/secext">
        <wssp:TokenInfo>
          <SecurityToken xmlns="https://schemas.xmlsoap.org/ws/2002/12/secext"
            wse:IdentityToken="true">
            <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
            <wssp:Claims>
              <wssp:SubjectName>CN=WSE2QuickStartClient</wssp:SubjectName>
            </wssp:Claims>
          </SecurityToken>
        </wssp:TokenInfo>
        <wssp:MessageParts
          Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
          wsp:Body() wse:Timestamp() wse:Addressing()
        </wssp:MessageParts>
      </wssp:Integrity>
    </wsp:Policy>
    <wsp:Policy wsu:Id="x509-encrypt"
      xmlns:wsp="https://schemas.xmlsoap.org/ws/2002/12/policy">
      <wssp:Confidentiality wsp:Usage="wsp:Required"
        xmlns:wssp="https://schemas.xmlsoap.org/ws/2002/12/secext">
        <wssp:KeyInfo>
          <wssp:SecurityToken
            xmlns:wse="https://schemas.microsoft.com/wse/2003/06/Policy"
            wse:IdentityToken="true">
            <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
          </wssp:SecurityToken>
        </wssp:KeyInfo>
        <wssp:MessageParts
          Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
          wsp:Body()
        </wssp:MessageParts>
      </wssp:Confidentiality>
    </wsp:Policy>
  </policies>
</policyDocument>

See Also

Reference

<Claims> Element
<TokenIssuer> Element (WSE for Microsoft .NET) (1)
<TokenType> Element

Concepts

Policy File Schema

Other Resources

Configuring a Web Service's Policy