Home arrow Security arrow Page 13 - Safeguarding the Identity and Integrity of XML Messages

XPath Filtering Transform - Security

XML Signature and XML Encryption, two of the three major pillars of the WS-Security standard, are so predominant in current thinking about Web Services Security that some people mistake them as the only strategy for securing Web services. This is really not the case at all. Read more in this chapter from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

TABLE OF CONTENTS:
  1. Safeguarding the Identity and Integrity of XML Messages
  2. XML Signature Fundamentals
  3. XML Signature Structure
  4. Types of XML Signatures
  5. The Signature Element Schema
  6. XML Signature Processing
  7. XML Signature Validation
  8. The XML Signature Elements
  9. Canonicalization Actions from Canonical XML Version 1.0
  10. The SignatureMethod Element
  11. The Reference Element
  12. The Transform Element
  13. XPath Filtering Transform
  14. Enveloped Signature Transform
  15. XPath Filter 2.0 Transform
  16. The DigestMethod Element
  17. The Object Element
  18. The Manifest Element
  19. The KeyInfo Element
  20. Security Strategies for XML Signature
  21. Summary
By: Sams Publishing
Rating: starstarstarstarstar / 7
September 09, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

The XPath Filtering Transform allows you take advantage of the powerful XPath language2. See Chapter 2 for more information on XPath.

In addition to the Algorithm attribute, the XPath Filtering Transform adds a child called XPath to the Transform element. This is the place you put the XPath expression that will pull out the piece you want from the XML nodeset that was returned by the Reference URI or the previous Transform. An example of this is shown in Listing 4.19.

Listing 4.19 The <Transform> Element Using Xpath Transform

<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
    <XPath xmlns:dsig="&dsig;">
     not(ancestor-or-self::dsig:Signature)
   </XPath>
</Transform>

You commonly use the XPath Filtering Transform in XML Signatures when you want to sign just a fragment of an XML document. For example, it is not uncommon to want to create a Signature element that is a peer with the element you want to sign. Consider the following document shown in Listing 4.20:

Listing 4.20 An <Order> XML Structure Where <Signature> Needs to be a Peer With <UserAgreement>

<Order>
  <CustomerInformation>
    <Name>David Remy</Name>
    <Address>123 Somewhere Street</Address>
    <City>West Linn</City>
    <State>OR</State>
    <Country>US</Country>
  </CustomerInformation>
  <LineItems>
    <LineItem Sku="1235">Lime green Umbrella</LineItem>
  </LineItems>
  <UserAgreement>
    I agree to be spammed, pay early and extra,
    and enjoy your popup adds.
  </UserAgreement>
  <Signature>-- Signature of UserAgreement here --</Signature>
</Order>

The requirement here is to create an XML Signature that is a peer (at the same level in the XML tree) of UserAgreement. You can accomplish this by using an XPath Filtering Transform like that used in Listing 4.21.

Listing 4.21 Use of Xpath Filtering to Create an XML Signature at the Peer Level

<Signature>
  <SignedInfo>
    <Reference URI="">
     <Transforms>
      <Transform
       Algorithm="
http://www.w3.org/TR/1999/REC-xpath-
      19991116">
       <XPath>
       ancestor-or-self:UserAgreement[parent:Order]
       </XPath>

      </Transform>
     </Transforms>
    ...
   </Reference>
  </SignedInfo>
</Signature>

As you can see, the Reference element specifies the current document (URI=""), and the Transform element has XPath (http://www.w3.org/TR/1999/REC-xpath-19991116) as its algorithm and a child XPath element. This element contains the XPath expression ancestor-or-self:UserAgreement[parent:Order], which is a simple way of asking for the UserAgreement element and all its siblings. This particular XPath expression is somewhat brittle because it assumes the UserAgreement element is always a child of Order. XPath would allow a more elaborate expression to pick up a UserAgreement at any level in the document.

The XPath Filtering Transform takes in and outputs an XML nodeset.

SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.



 
 
>>> More Security Articles          >>> More By Sams Publishing
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: