HomeDigital EditionSys-Con RadioSearch Web Services Cd
B2B Beginning WS Business Process Management Case Studies Content Management Distributing Computing e-Business Electronic Data Interchange Enterprise Industry Insight Integration Interviews Java & Web Services .NET Portal Product Reviews Scalability & Performance Security SOAP Source Code UDDI Wireless WS Standards WS Tips & Techniques WSDL WS Editorials XML

The Security Challenge by Marc Chanliau
WSJ Vol 03 Issue 3 - pg.36 

	


Listing 1: Simple XML Encryption

<?xml version="1.0"?> 
<PaymentInfo xmlns="http://www.example.com/payment">
  <CreditCard>
    <Name>Marc Chanliau</Name>
    <CreditCardNumber>
      <EncryptedData xmlns="http://www..." Type="http://www...">
        <CipherData>
          <CipherValue>A23B45C56</CipherValue>
        </CipherData>
      </EncryptedData>
    </CreditCardNumber>
    <ExpireDate>06/03</ExpireDate>
  </CreditCard>
</PaymentInfo>

Listing 2: Embedded XML Signature

POST/RatingService HTTP/1.1
Host: www.example.com
Content-Type: text/xml; charset="utf-8"
Content-Length: 2841    
SOAPAction: "getCreditRating"

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAPENV="http://..."> 
  <SOAP-ENV:Header>
    <SOAP-SEC:Signature SOAP-SEC:mustUnderstand="1" 
           xmlns:SOAP-SEC="http://...">
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
<!-- The signedInfo element allows us to sign any portion of
             a document, in this case, we sign the body -->
          <CanonicalizationMethod Algorithm="http://www..."/>
          <SignatureMethod Algorithm="http://www..."/> 
          <Reference URI="#Body">
            <DigestMethod Algorithm="http://www..."/>
            <DigestValue>
              o+jtqlieRtF6DrUbX8O9M/CmySg=...
            </DigestValue>
          </Reference>
        </SignedInfo>
<!-- Following is the result of running the algorithm over the document. 
If changes are made to the document, the SignatureValue is changed. 
The security application verifies the SignatureValue, extracts the X509 
certificate and uses it to authenticate the user -->
        <SignatureValue>
          oa+ttbsvSFiEtRD2oNC5iRu2eIoqWpD6PVYIKqc...
        </SignatureValue>
        <KeyInfo>
          <KeyValue>
            <!-- Following is the public key that matches the private 
                 key that actually signs the document -->
            <RSAKeyValue>
              <Modulus>
                5TT/oolzTiP++Ls6GLQUM8xoFFrAlZQ...
              </Modulus>
              <Exponent>EQ==</Exponent>
            </RSAKeyValue>
          </KeyValue>
          <!-- Following is the certificate -->
          <X509Data>
            <X509Certificate>
              MIIBwDCCAXqgAwIBAgI...
            </X509Certificate>
          </X509Data>
        </KeyInfo>
      </Signature>
    </SOAP-SEC:Signature>
  </SOAP-ENV:Header>
  <SOAP-ENV:Body ID="Body" 
    <!-- Here we can have any business payload such as a purchase
         order. This is the part we signed in this example --> 
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Listing 3: Simple SAML Authentication Assertion

<saml:Assertion
    AssertionID="10.255.1.3.1034108172377"
    IssueInstant="2002-10-08T20:16:12.377Z"
    Issuer="TransactionMinderSAMLIssuer"
    MajorVersion="1" MinorVersion="0"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
  <saml:Conditions 
      NotBefore="2002-10-08T20:16:12.307Z" 
      NotOnOrAfter="2002-1008T22:16:12.307Z"/>
  <saml:AuthenticationStatement
      AuthenticationInstant="2002-10-08T20:16:12.307Z"  
      AuthenticationMethod="urn:oasis:names:tc:SAML...">
    <saml:Subject>
      <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.0..."
            NameQualifier="Domain Name">
        Marc Chanliau
      </saml:NameIdentifier>
      <saml:SubjectConfirmation>
        <saml:ConfirmationMethod>http://www.../>
        <saml:SubjectConfirmationData>
          R1VD8fkkvlrhp
        </saml:SubjectConfirmationData>
      </saml:SubjectConfirmation>
    </saml:Subject>
  </saml:AuthenticationStatement>
</saml:Assertion>

Listing 4: SAML Assertion in WS-Security

<SOAP-ENV:Envelope>
  <SOAP-ENV:Header>
    <wsse:Security>
      <saml:Assertion>...</saml:Assertion>
    </wsse:Security>
  </SOAP-ENV:Header>
  <SOAP-ENV:Body>...</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Listing 5: Referring SAML information in WS-Security

<wsse:SecurityTokenReference>     	
  <saml:AssertionIDReference>
    XVB12#$21abc...
  </AssertionIDReference>
  <wsse:Reference URI="http://www.example.com/SAMLservice"/>
</wsse:SecurityTokenReference>