<Integrity> Element

  • Article

Specifies the digital signature requirements for a SOAP message.

<policyDocument> Element
  <policies> Element
    <Policy> Element (WSE for Microsoft .NET) (1)

<Integrity wsp:Usage="wsp:Required">
  <TokenInfo>
    <SecurityToken>...</SecurityToken>
  </TokenInfo>
  <MessageParts Dialect="..." Signer="...">
  </MessageParts>
  <Algorithm Type="wsse:AlgCanonicalization"
             URI="..." wsp:Preference="..."/>
<Integrity>

Attributes and Elements

Attributes

Attribute Description

wsp:Usage

Specifies how to process the digital signature requirement. Setting wsp:Usage to wsp:Required specifies that the SOAP message must be signed as specified by the assertion.

Child Elements

Element Description

<Algorithm> Element for <Integrity>

Optional element. Specifies the algorithm to use to compute the digital signature. WSE supports wsse:AlgCanonicalization, wsse:AlgSignature, wsse:AlgDigest, and wsse:AlgTransform.

<MessageParts> Element for <Integrity> Element

Required element. Specifies the portions of the SOAP message that must be signed.

<TokenInfo> Element

Optional element. Specifies the type of security token that must be used to sign the SOAP message.

Parent Elements

Element Description

<Policy> Element (WSE for Microsoft .NET) (1)

Specifies a SOAP message requirement.

Remarks

The <Integrity> element must contain a <TokenInfo> Element element that contains a security token type supported by WSE.

WSE supports the following values for the <MessageParts> element when used with the <Integrity> elements: wsp:Body(), wsp:Header(anAddressingSoapHeader), wse:UsernameToken(), wse:Addressing(), and wse:Timestamp(). The anAddressingSOAPHeader header is any custom header one level below <soap:Header> or one of the following SOAP headers, as described in the WS-Addressing specification:<Action>, <FaultTo>, <From>, <MessageId>, <Recipient>, <RelatesTo>, <ReplyTo>, and <To>.

When using policy to require that a digital signature exists on incoming SOAP messages, always use the <MessagePredicate> Element element. The <MessagePredicate> element ensures that the XML elements that must be signed exist in the SOAP message. Just adding an <Integrity> Element element to a policy file specifies that a digital signature must exist, if the XML elements specified in the <Integrity> element exist in the SOAP messages. If the SOAP message does not contain the XML elements specified in the <Integrity> element, the SOAP message satisfies the requirements of the policy and is allowed to access the Web service. To remedy this potential problem, add a <MessagePredicate> element specifying the XML elements that must exist in the incoming SOAP message.

The following table lists the possible values for the wsp:Usage attribute, as defined by the WS-Policy specification. WSE only supports the wsp:Required value for the wsp:Usage attribute. That is, only "required" assertions will get their policy enforcers invoked during enforcement.

Value Description

wsp:Required

Indicates that SOAP messages must contain a digital signature as specified in the assertion.

wsp:Rejected

Indicates that SOAP messages that are digitally signed as specified in the assertion are explicitly not supported.

wsp:Optional

Indicates that SOAP messages can be optionally digitally signed as specified in the assertion.

wsp:Observed

Indicates that SOAP messages must be digitally signed as specified in the assertion.

wsp:Ignored

Indicates that SOAP messages are not processed to determine if they meet this digital signature requirement.

Example

The following code example is a policy file specifying that all SOAP messages sent to the http://www.cohowinery.com/SaleWidgets.asmx endpoint must have the <Body> element and the To, Action, MessageID, and From headers signed by a Kerberos service ticket issued from the COHOWINERY realm for communication between the current user and the computer named computer1@cohowinery.com.

Note

This code example is designed to demonstrate WSE features and is not intended for production use.

<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="https://schemas.microsoft.com/wse/2003/06/Policy">
  <mappings xmlns:wse="https://schemas.microsoft.com/wse/2003/06/Policy">
    <endpoint uri="http://www.cohowinery.com/SaleWidgets.asmx">
      <defaultOperation>
        <request policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618" />
        <response policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618" />
        <fault policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618" />
      </defaultOperation>
    </endpoint>
  </mappings>
  <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsp:Policy wsu:Id="policy-c0a22319-6b89-49ff-9b82-bdbac5f04618"
      xmlns:wsp="https://schemas.xmlsoap.org/ws/2002/12/policy"
      xmlns:wsa="https://schemas.xmlsoap.org/ws/2004/03/addressing" >
      <wssp:Integrity wsp:Usage="wsp:Required"
        xmlns:wssp="https://schemas.xmlsoap.org/ws/2002/12/secext">
        <wssp:TokenInfo>
          <SecurityToken xmlns="https://schemas.xmlsoap.org/ws/2002/12/secext">
            <wssp:TokenType>https://schemas.xmlsoap.org/ws/2003/12/kerberos/Kerberosv5ST</wssp:TokenType>
            <wssp:TokenIssuer>COHOWINERY</wssp:TokenIssuer>
            <wssp:Claims>
              <wssp:ServiceName>host/computer1@cohowinery.com</wssp:ServiceName>
            </wssp:Claims>
          </SecurityToken>
        </wssp:TokenInfo>
        <wssp:MessageParts Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
            wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wsp:Header(wsa:From)
        </wssp:MessageParts>
      </wssp:Integrity>
    </wsp:Policy>
  </policies>
</policyDocument>

See Also

Reference

<Algorithm> Element for <Integrity>
<MessageParts> Element for <Integrity> Element
<TokenInfo> Element

Concepts

Policy File Schema

Other Resources

Configuring a Web Service's Policy