HomeDigital EditionSys-Con RadioSearch Web Services Cd
B2B Beginning WS Business Process Management Case Studies Content Management Distributing Computing e-Business Electronic Data Interchange Enterprise Industry Insight Integration Interviews Java & Web Services .NET Portal Product Reviews Scalability & Performance Security SOAP Source Code UDDI Wireless WS Standards WS Tips & Techniques WSDL WS Editorials XML

Focus on Security, by Mark O'Neill
WSJ Vol 02 Issue 03 - pg.27 

	



Listing 1: SOAP message signed using SOAP-SEC

<SOAP-ENV:Envelope 
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<SOAP-SEC:Signature 
xmlns:SOAP-SEC="http://schemas.xmlsoap.org/soap/security/2000-12" SOAP-ENV:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2000/CR-xml-c14n-20001026"/>
<ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#WhatWeAreSigning">
<ds:Transforms>
<ds:Transform 
Algorithm="http://www.w3.org/TR/2000/CR-xml-c14n-20001026"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>erjwlewEWRewrfmpaeaesA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>wfmSSasASFASqasf=...</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>Marko</ds:KeyName>
</ds:KeyInfo>
</ds:Signature>
</SOAP-SEC:Signature>
</SOAP-ENV:Header>
<SOAP-ENV:Body 
xmlns:SOAP-SEC="http://schemas.xmlsoap.org/soap/security/2000-12" SOAP-SEC:id="WhatWeAreSigning">
<StockOrder:buy xmlns:StockOrder="http://www.stockorder.com/Stock">
<StockOrder:symbol>SGP</StockOrder:symbol>
<StockOrder:quantity>2000</StockOrder:quantity>
<StockOrder:market>New York</StockOrder:market>
</order:buy>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>



Listing 2: SAML authentication assertion


<saml:Assertion
  MajorVersion="1" MinorVersion="0"
  AssertionID="312.5.32.2.6422421"
  Issuer="Vordel"
  IssueInstant="2002-01-05T13:32:00Z">
  <saml:Conditions
    NotBefore="2002-01-05T13:30:00Z"
    NotAfter="2001-12-03T13:28:00Z" />
  <saml:AuthenticationStatement
    AuthenticationMethod="password"
    AuthenticationInstant="2002-01-05T13:30:00Z">
    <saml:Subject>
      <saml:NameIdentifier
        SecurityDomain="vordel.com"
        Name="marko" />
    </saml:Subject>
  </saml:AuthenticationStatement>
 </saml:Assertion>


Listing 3: SAML attribute assertion


<saml:Assertion É>
  <saml:Conditions É/>
  <saml:AttributeStatement>
    <saml:Subject>
      <saml:NameIdentifier
        SecurityDomain="vordel.com"
        Name="marko" />
    </saml:Subject>
    <saml:Attribute
      AttributeName="SubscriptionStatus"
      AttributeNamespace="http://vordel.com">
      <saml:AttributeValue>
        UpToDate
      </saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>



Listing 4: SAML authorization decision assertion

<saml:Assertion É>
 <saml:Conditions É/>
  <saml:AuthorizationStatement
    Decision="Permit"
    Resource="http://vordel.com/news/index.html">
    <saml:Subject>
      <saml:NameIdentifier
        SecurityDomain="vordel.com"
        Name="marko" />
    </saml:Subject>
  </saml:AuthorizationStatement>
</saml:Assertion>