<Integrity> Element
Specifies the digital signature requirements for a SOAP message.
<policyDocument> Element
<policies> Element
<Policy> Element (WSE for Microsoft .NET) (1)
<Integrity wsp:Usage="wsp:Required">
<TokenInfo>
<SecurityToken>...</SecurityToken>
</TokenInfo>
<MessageParts Dialect="..." Signer="...">
</MessageParts>
<Algorithm Type="wsse:AlgCanonicalization"
URI="..." wsp:Preference="..."/>
<Integrity>
Attributes and Elements
Attributes
Attribute | Description |
---|---|
wsp:Usage |
Specifies how to process the digital signature requirement. Setting wsp:Usage to wsp:Required specifies that the SOAP message must be signed as specified by the assertion. |
Child Elements
Element | Description |
---|---|
Optional element. Specifies the algorithm to use to compute the digital signature. WSE supports wsse:AlgCanonicalization, wsse:AlgSignature, wsse:AlgDigest, and wsse:AlgTransform. |
|
Required element. Specifies the portions of the SOAP message that must be signed. |
|
Optional element. Specifies the type of security token that must be used to sign the SOAP message. |
Parent Elements
Element | Description |
---|---|
Specifies a SOAP message requirement. |
Remarks
The <Integrity> element must contain a <TokenInfo> Element element that contains a security token type supported by WSE.
WSE supports the following values for the <MessageParts> element when used with the <Integrity> elements: wsp:Body()
, wsp:Header(anAddressingSoapHeader)
, wse:UsernameToken()
, wse:Addressing()
, and wse:Timestamp()
. The anAddressingSOAPHeader
header is any custom header one level below <soap:Header> or one of the following SOAP headers, as described in the WS-Addressing specification:<Action>, <FaultTo>, <From>, <MessageId>, <Recipient>, <RelatesTo>, <ReplyTo>, and <To>.
When using policy to require that a digital signature exists on incoming SOAP messages, always use the <MessagePredicate> Element element. The <MessagePredicate> element ensures that the XML elements that must be signed exist in the SOAP message. Just adding an <Integrity> Element element to a policy file specifies that a digital signature must exist, if the XML elements specified in the <Integrity> element exist in the SOAP messages. If the SOAP message does not contain the XML elements specified in the <Integrity> element, the SOAP message satisfies the requirements of the policy and is allowed to access the Web service. To remedy this potential problem, add a <MessagePredicate> element specifying the XML elements that must exist in the incoming SOAP message.
The following table lists the possible values for the wsp:Usage attribute, as defined by the WS-Policy specification. WSE only supports the wsp:Required value for the wsp:Usage attribute. That is, only "required" assertions will get their policy enforcers invoked during enforcement.
Value | Description |
---|---|
wsp:Required |
Indicates that SOAP messages must contain a digital signature as specified in the assertion. |
wsp:Rejected |
Indicates that SOAP messages that are digitally signed as specified in the assertion are explicitly not supported. |
wsp:Optional |
Indicates that SOAP messages can be optionally digitally signed as specified in the assertion. |
wsp:Observed |
Indicates that SOAP messages must be digitally signed as specified in the assertion. |
wsp:Ignored |
Indicates that SOAP messages are not processed to determine if they meet this digital signature requirement. |
Example
The following code example is a policy file specifying that all SOAP messages sent to the http://www.cohowinery.com/SaleWidgets.asmx
endpoint must have the <Body> element and the To, Action, MessageID, and From headers signed by a Kerberos service ticket issued from the COHOWINERY
realm for communication between the current user and the computer named computer1@cohowinery.com
.
Note
This code example is designed to demonstrate WSE features and is not intended for production use.
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="https://schemas.microsoft.com/wse/2003/06/Policy">
<mappings xmlns:wse="https://schemas.microsoft.com/wse/2003/06/Policy">
<endpoint uri="http://www.cohowinery.com/SaleWidgets.asmx">
<defaultOperation>
<request policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618" />
<response policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618" />
<fault policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618" />
</defaultOperation>
</endpoint>
</mappings>
<policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:Policy wsu:Id="policy-c0a22319-6b89-49ff-9b82-bdbac5f04618"
xmlns:wsp="https://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wsa="https://schemas.xmlsoap.org/ws/2004/03/addressing" >
<wssp:Integrity wsp:Usage="wsp:Required"
xmlns:wssp="https://schemas.xmlsoap.org/ws/2002/12/secext">
<wssp:TokenInfo>
<SecurityToken xmlns="https://schemas.xmlsoap.org/ws/2002/12/secext">
<wssp:TokenType>https://schemas.xmlsoap.org/ws/2003/12/kerberos/Kerberosv5ST</wssp:TokenType>
<wssp:TokenIssuer>COHOWINERY</wssp:TokenIssuer>
<wssp:Claims>
<wssp:ServiceName>host/computer1@cohowinery.com</wssp:ServiceName>
</wssp:Claims>
</SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wsp:Header(wsa:From)
</wssp:MessageParts>
</wssp:Integrity>
</wsp:Policy>
</policies>
</policyDocument>
See Also
Reference
<Algorithm> Element for <Integrity>
<MessageParts> Element for <Integrity> Element
<TokenInfo> Element