Page 13 - Safeguarding the Identity and Integrity of XML Messages

Dev Shed Forums

Administration
AJAX
Apache
BrainDump
DHTML
Flash
Java
JavaScript
Multimedia
MySQL
Oracle
Perl
PHP
Practices
Python
Reviews
Security
Smartphone Development
Style-Sheets
Web Services
XML
Zend
Zope

Mobile Linux
App Generation ROI
IBM® developerWorks

Forums Sitemap

E-Commerce Hosting
Linux Web Hosting
Managed Hosting
Small Business Hosting
VPS Hosting

Weekly Newsletter
Developer Updates
Free Website Content

Articles

Forums

All Feeds

Write For Us Get Paid

Request Media Kit

Site Map

Privacy Policy
Support

USERNAME

PASSWORD


>>> SIGN UP!
Lost Password?
Google.com

SECURITY

RSS

Safeguarding the Identity and Integrity of XML Messages

By: Sams Publishing	Search For More Articles! Disclaimer Author Terms
Rating: / 7
2004-09-09

Table of Contents:

Safeguarding the Identity and Integrity of XML Messages

XML Signature Fundamentals

XML Signature Structure

Types of XML Signatures

The Signature Element Schema

XML Signature Processing

XML Signature Validation

The XML Signature Elements

Canonicalization Actions from Canonical XML Version 1.0

The SignatureMethod Element

The Reference Element

The Transform Element

XPath Filtering Transform

Enveloped Signature Transform

XPath Filter 2.0 Transform

The DigestMethod Element

The Object Element

The Manifest Element

The KeyInfo Element

Security Strategies for XML Signature

Summary

	ADD THIS ARTICLE TO:
	Del.ici.ous	Digg
	Blink	Simpy
	Google	Spurl
	Y! MyWeb	Furl

Email Me Similar Content When Posted

Add Developer Shed Article Feed To Your Site

Email Article To Friend

Print Version Of Article

PDF Version Of Article

Safeguarding the Identity and Integrity of XML Messages - XPath Filtering Transform
( Page 13 of 21 )

The XPath Filtering Transform allows you take advantage of the powerful XPath language2. See Chapter 2 for more information on XPath.

In addition to the Algorithm attribute, the XPath Filtering Transform adds a child called XPath to the Transform element. This is the place you put the XPath expression that will pull out the piece you want from the XML nodeset that was returned by the Reference URI or the previous Transform. An example of this is shown in Listing 4.19.

Listing 4.19 The <Transform> Element Using Xpath Transform

<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
    <XPath xmlns:dsig="&dsig;">
     not(ancestor-or-self::dsig:Signature)
   </XPath>
</Transform>

You commonly use the XPath Filtering Transform in XML Signatures when you want to sign just a fragment of an XML document. For example, it is not uncommon to want to create a Signature element that is a peer with the element you want to sign. Consider the following document shown in Listing 4.20:

Listing 4.20 An <Order> XML Structure Where <Signature> Needs to be a Peer With <UserAgreement>

<Order>
<CustomerInformation>
    <Name>David Remy</Name>
    <Address>123 Somewhere Street</Address>
    <City>West Linn</City>
    <State>OR</State>
    <Country>US</Country>
</CustomerInformation>
<LineItems>
    <LineItem Sku="1235">Lime green Umbrella</LineItem>
</LineItems>
<UserAgreement>
    I agree to be spammed, pay early and extra,
    and enjoy your popup adds.
</UserAgreement>
<Signature>-- Signature of UserAgreement here --</Signature>
</Order>

The requirement here is to create an XML Signature that is a peer (at the same level in the XML tree) of UserAgreement. You can accomplish this by using an XPath Filtering Transform like that used in Listing 4.21.

Listing 4.21 Use of Xpath Filtering to Create an XML Signature at the Peer Level

<Signature>
<SignedInfo>
    <Reference URI="">
     <Transforms>
      <Transform
       Algorithm="http://www.w3.org/TR/1999/REC-xpath-
      19991116">
       <XPath>
       ancestor-or-self:UserAgreement[parent:Order]
       </XPath>
      </Transform>
     </Transforms>
    ...
   </Reference>
</SignedInfo>
</Signature>

As you can see, the Reference element specifies the current document (URI=""), and the Transform element has XPath (http://www.w3.org/TR/1999/REC-xpath-19991116) as its algorithm and a child XPath element. This element contains the XPath expression ancestor-or-self:UserAgreement[parent:Order], which is a simple way of asking for the UserAgreement element and all its siblings. This particular XPath expression is somewhat brittle because it assumes the UserAgreement element is always a child of Order. XPath would allow a more elaborate expression to pick up a UserAgreement at any level in the document.

The XPath Filtering Transform takes in and outputs an XML nodeset.

This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.

Next: Enveloped Signature Transform >>

	Discuss Safeguarding the Identity and Integrity of XML Messages

	I do not have time to register all over the web, but because I found this article...

	>>> Post your comment now!



	>>> More Security Articles >>> More By Sams Publishing

SECURITY ARTICLES

- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II
- What’s behind the curtain? Part I
- Vectors
- PKI: Looking at the Risks
- A Quick Look at Cross Site Scripting
- PKI Architectures: How to Choose One
Find More Security Articles