<SecurityToken> Element
Specifies security token requirements.
<policyDocument> Element
<policies> Element
<Policy> Element (WSE for Microsoft .NET) (1)
<Confidentiality> Element
<KeyInfo> Element (WSE for Microsoft .NET) (1)
<policyDocument> Element
<policies> Element
<Policy> Element (WSE for Microsoft .NET) (1)
<Integrity> Element
<TokenInfo> Element
<policyDocument> Element
<policies> Element
<Policy> Element (WSE for Microsoft .NET) (1)
<Confidentiality> Element
<KeyInfo> Element (WSE for Microsoft .NET) (1)
<SecurityToken> Element
<Claims> Element
<BaseToken> Element
<policyDocument> Element
<policies> Element
<Policy> Element (WSE for Microsoft .NET) (1)
<Integrity> Element
<TokenInfo> Element
<SecurityToken> Element
<Claims> Element
<BaseToken> Element
<SecurityToken wse:IdentityToken="true">
<Claims>SecurityTokenSpecificRequirement</Claims>
<TokenIssuer>TheTokenIssuer</TokenIssuer>
<TokenType>TheTokenType</TokenType>
</SecurityToken>
Attributes and Elements
Attributes
Attribute | Description |
---|---|
wse:IdentityToken |
Optional attribute. Specifies whether the security token is to be used to encrypt the SOAP response. |
Child Elements
Element | Description |
---|---|
Optional element. Specifies security token specific requirements. |
|
Optional element. Specifies the name of the trusted source that issued the security token. |
|
Optional element. Specifies the security token type. |
Parent Elements
Element | Description |
---|---|
Specifies the base token for for a SecurityContextToken security token. |
|
Specifies the requirements for security tokens used to encrypt SOAP messages. |
|
Specifies the requirements for security tokens used to sign SOAP messages. |
Remarks
The only required child element of the <SecurityToken> element is the <TokenType> Element element, which specifies the security token type. For the list of supported security tokens, see <TokenType> Element. When the security token type is a security context token, use the <TokenIssuer> Element (WSE for Microsoft .NET) (1) element to specify the security token service.
Use the wse:IdentityToken attribute when you must encrypt SOAP responses using the security token that signed a portion of a SOAP request and there may be more than one security token that signed the SOAP message. To determine which security token must be used to encrypt the SOAP response, add the wse:IdentityToken attribute to the <SecurityToken> element to both the <Integrity> Element and <Confidentiality> Element elements. Adding the wse:IdentityToken attribute to a <SecurityToken> element within an <Integrity> Element assertion specifies that a security token that matches the integrity assertion is the identity token. When a SOAP request is received with a security token that matches the security token specified in the integrity assertion, policy sets the SoapContext.IdentityToken property to the matched security token. Adding the wse:IdentityToken attribute to a <SecurityToken> element within a <Confidentiality> Element element specifies to policy that SOAP responses must be encrypted using the security token set to the value of SoapContext.IdentityToken, which is the property for the SOAP request.
Note
WSE does not support the Usage attribute of the <SecurityToken> element.
Example
The following code example defines two policy assertions named SignBodyAndAddressingHeaders
and x509-encrypt
that require the <Body> element, timestamp header, and all WS-Addressing SOAP headers be signed using an X509SecurityToken with a subject of CN=WSE2QuickStartClient
for SOAP requests and that SOAP responses be encrypted using the same security token, respectively.
Note
This code example is designed to demonstrate WSE features and is not intended for production use.
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="https://schemas.microsoft.com/wse/2003/06/Policy">
<mappings>
<endpoint uri="http://www.cohowinery.com/Service1.asmx ">
<operation requestAction="http://www.cohowinery.com/OrderWine">
<!-- Soap requests must be signed.-->
<request policy="#SignBodyAndAddressingHeaders" />
<!-- SOAP responses must be encrypted. -->
<response policy="#x509-encrypt"/>
<!-- No policy for faults. -->
<fault policy=""/>
</operation>
</endpoint>
</mappings>
<policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:Policy wsu:Id="SignBodyAndAddressingHeaders"
xmlns:wsp="https://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wsa="https://schemas.xmlsoap.org/ws/2004/03/addressing"
xmlns:wse="https://schemas.microsoft.com/wse/2003/06/Policy">
<wsp:MessagePredicate
Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wsp:Header(wsa:From) wse:Timestamp()
</wsp:MessagePredicate>
<wssp:Integrity wsp:Usage="wsp:Required"
xmlns:wssp="https://schemas.xmlsoap.org/ws/2002/12/secext">
<wssp:TokenInfo>
<SecurityToken xmlns="https://schemas.xmlsoap.org/ws/2002/12/secext"
wse:IdentityToken="true">
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:Claims>
<wssp:SubjectName>CN=WSE2QuickStartClient</wssp:SubjectName>
</wssp:Claims>
</SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts
Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
wsp:Body() wse:Timestamp() wse:Addressing()
</wssp:MessageParts>
</wssp:Integrity>
</wsp:Policy>
<wsp:Policy wsu:Id="x509-encrypt"
xmlns:wsp="https://schemas.xmlsoap.org/ws/2002/12/policy">
<wssp:Confidentiality wsp:Usage="wsp:Required"
xmlns:wssp="https://schemas.xmlsoap.org/ws/2002/12/secext">
<wssp:KeyInfo>
<wssp:SecurityToken
xmlns:wse="https://schemas.microsoft.com/wse/2003/06/Policy"
wse:IdentityToken="true">
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
</wssp:SecurityToken>
</wssp:KeyInfo>
<wssp:MessageParts
Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
wsp:Body()
</wssp:MessageParts>
</wssp:Confidentiality>
</wsp:Policy>
</policies>
</policyDocument>
See Also
Reference
<Claims> Element
<TokenIssuer> Element (WSE for Microsoft .NET) (1)
<TokenType> Element