Page 13 - Safeguarding the Identity and Integrity of XML Messages

Dev Shed Forums

Administration
Apache
BrainDump
DHTML
Flash
Java
JavaScript
Multimedia
MySQL
Oracle
Perl
PHP
Practices
Python
Reviews
Security
Style-Sheets
Web Services
XML
Zend
Zope

Forums Sitemap
IBM® developerWorks

Dedicated Servers
E-Commerce Hosting
Linux Web Hosting
Managed Hosting
Small Business Hosting
Download TestComplete
VPS Hosting

Weekly Newsletter
Developer Updates
Free Website Content

Articles

Forums

All Feeds

Write For Us Get Paid

Request Media Kit

Site Map

Privacy Policy
Support

USERNAME

PASSWORD

>>> SIGN UP!

Lost Password?

SECURITY

RSS

Safeguarding the Identity and Integrity of XML Messages

By: Sams Publishing	Search For More Articles! Disclaimer Author Terms
Rating: / 6
2004-09-09

Table of Contents:

Safeguarding the Identity and Integrity of XML Messages

XML Signature Fundamentals

XML Signature Structure

Types of XML Signatures

The Signature Element Schema

XML Signature Processing

XML Signature Validation

The XML Signature Elements

Canonicalization Actions from Canonical XML Version 1.0

The SignatureMethod Element

The Reference Element

The Transform Element

XPath Filtering Transform

Enveloped Signature Transform

XPath Filter 2.0 Transform

The DigestMethod Element

The Object Element

The Manifest Element

The KeyInfo Element

Security Strategies for XML Signature

Summary

	ADD THIS ARTICLE TO:
	Del.ici.ous	Digg
	Blink	Simpy
	Google	Spurl
	Y! MyWeb	Furl

Email Me Similar Content When Posted

Add Developer Shed Article Feed To Your Site

Email Article To Friend

Print Version Of Article

PDF Version Of Article

ADVERTISEMENT

Route your faxes to your email inbox. Private, secure fax numbers available from CallWave. Choose your fax number.

Safeguarding the Identity and Integrity of XML Messages - XPath Filtering Transform
(Page 13 of 21 )

The XPath Filtering Transform allows you take advantage of the powerful XPath language2. See Chapter 2 for more information on XPath.

In addition to the Algorithm attribute, the XPath Filtering Transform adds a child called XPath to the Transform element. This is the place you put the XPath expression that will pull out the piece you want from the XML nodeset that was returned by the Reference URI or the previous Transform. An example of this is shown in Listing 4.19.

Listing 4.19 The <Transform> Element Using Xpath Transform

<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
    <XPath xmlns:dsig="&dsig;">
     not(ancestor-or-self::dsig:Signature)
   </XPath>
</Transform>

You commonly use the XPath Filtering Transform in XML Signatures when you want to sign just a fragment of an XML document. For example, it is not uncommon to want to create a Signature element that is a peer with the element you want to sign. Consider the following document shown in Listing 4.20:

Listing 4.20 An <Order> XML Structure Where <Signature> Needs to be a Peer With <UserAgreement>

<Order>
<CustomerInformation>
    <Name>David Remy</Name>
    <Address>123 Somewhere Street</Address>
    <City>West Linn</City>
    <State>OR</State>
    <Country>US</Country>
</CustomerInformation>
<LineItems>
    <LineItem Sku="1235">Lime green Umbrella</LineItem>
</LineItems>
<UserAgreement>
    I agree to be spammed, pay early and extra,
    and enjoy your popup adds.
</UserAgreement>
<Signature>-- Signature of UserAgreement here --</Signature>
</Order>

The requirement here is to create an XML Signature that is a peer (at the same level in the XML tree) of UserAgreement. You can accomplish this by using an XPath Filtering Transform like that used in Listing 4.21.

Listing 4.21 Use of Xpath Filtering to Create an XML Signature at the Peer Level

<Signature>
<SignedInfo>
    <Reference URI="">
     <Transforms>
      <Transform
       Algorithm="http://www.w3.org/TR/1999/REC-xpath-
      19991116">
       <XPath>
       ancestor-or-self:UserAgreement[parent:Order]
       </XPath>
      </Transform>
     </Transforms>
    ...
   </Reference>
</SignedInfo>
</Signature>

As you can see, the Reference element specifies the current document (URI=""), and the Transform element has XPath (http://www.w3.org/TR/1999/REC-xpath-19991116) as its algorithm and a child XPath element. This element contains the XPath expression ancestor-or-self:UserAgreement[parent:Order], which is a simple way of asking for the UserAgreement element and all its siblings. This particular XPath expression is somewhat brittle because it assumes the UserAgreement element is always a child of Order. XPath would allow a more elaborate expression to pick up a UserAgreement at any level in the document.

The XPath Filtering Transform takes in and outputs an XML nodeset.

This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.
Buy this book now.

Next: Enveloped Signature Transform >>

More Security Articles
More By Sams Publishing

Comments On: Safeguarding the Identity and Integrity of XML Messages

>>> Be the FIRST to comment on this article!

SECURITY ARTICLES

- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II
- What’s behind the curtain? Part I
- Vectors
- PKI: Looking at the Risks
- A Quick Look at Cross Site Scripting
- PKI Architectures: How to Choose One
- Trust, Access Control, and Rights for Web Se...
- Basic Concepts of Web Services Security
- Safeguarding the Identity and Integrity of X...
Find More Security Articles

Accelerating Trading Partner Performance

Competing on Analytics

Cost Effective Scaling with Virtualization and Coyote Point Systems

Five Checkpoints to Implementing IP Telephony

Hosted Email Security: Staying Ahead of New Threats