XPath Filtering Transform - Security

XML Signature and XML Encryption, two of the three major pillars of the WS-Security standard, are so predominant in current thinking about Web Services Security that some people mistake them as the only strategy for securing Web services. This is really not the case at all. Read more in this chapter from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

By: Sams Publishing

Poor Best

Rating:

/ 7

September 09, 2004

print this article

SEARCH DEV SHED

TOOLS YOU CAN USE

The XPath Filtering Transform allows you take advantage of the powerful XPath language2. See Chapter 2 for more information on XPath.

In addition to the Algorithm attribute, the XPath Filtering Transform adds a child called XPath to the Transform element. This is the place you put the XPath expression that will pull out the piece you want from the XML nodeset that was returned by the Reference URI or the previous Transform. An example of this is shown in Listing 4.19.

Listing 4.19 The <Transform> Element Using Xpath Transform

<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
    <XPath xmlns:dsig="&dsig;">
     not(ancestor-or-self::dsig:Signature)
   </XPath>
</Transform>

You commonly use the XPath Filtering Transform in XML Signatures when you want to sign just a fragment of an XML document. For example, it is not uncommon to want to create a Signature element that is a peer with the element you want to sign. Consider the following document shown in Listing 4.20:

Listing 4.20 An <Order> XML Structure Where <Signature> Needs to be a Peer With <UserAgreement>

<Order>
<CustomerInformation>
    <Name>David Remy</Name>
    <Address>123 Somewhere Street</Address>
    <City>West Linn</City>
    <State>OR</State>
    <Country>US</Country>
</CustomerInformation>
<LineItems>
    <LineItem Sku="1235">Lime green Umbrella</LineItem>
</LineItems>
<UserAgreement>
    I agree to be spammed, pay early and extra,
    and enjoy your popup adds.
</UserAgreement>
<Signature>-- Signature of UserAgreement here --</Signature>
</Order>

The requirement here is to create an XML Signature that is a peer (at the same level in the XML tree) of UserAgreement. You can accomplish this by using an XPath Filtering Transform like that used in Listing 4.21.

Listing 4.21 Use of Xpath Filtering to Create an XML Signature at the Peer Level

<Signature>
<SignedInfo>
    <Reference URI="">
     <Transforms>
      <Transform
       Algorithm="http://www.w3.org/TR/1999/REC-xpath-
      19991116">
       <XPath>
       ancestor-or-self:UserAgreement[parent:Order]
       </XPath>
      </Transform>
     </Transforms>
    ...
   </Reference>
</SignedInfo>
</Signature>

As you can see, the Reference element specifies the current document (URI=""), and the Transform element has XPath (http://www.w3.org/TR/1999/REC-xpath-19991116) as its algorithm and a child XPath element. This element contains the XPath expression ancestor-or-self:UserAgreement[parent:Order], which is a simple way of asking for the UserAgreement element and all its siblings. This particular XPath expression is somewhat brittle because it assumes the UserAgreement element is always a child of Order. XPath would allow a more elaborate expression to pick up a UserAgreement at any level in the document.

The XPath Filtering Transform takes in and outputs an XML nodeset.

This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.