Page 15 - Safeguarding the Identity and Integrity of XML Messages

Dev Shed Forums

Administration
Apache
BrainDump
DHTML
Flash
Java
JavaScript
Multimedia
MySQL
Oracle
Perl
PHP
Practices
Python
Reviews
Security
Style-Sheets
Web Services
XML
Zend
Zope

Forums Sitemap
IBM® developerWorks

Dedicated Servers
E-Commerce Hosting
Linux Web Hosting
Managed Hosting
Small Business Hosting
Download TestComplete
VPS Hosting

Weekly Newsletter
Developer Updates
Free Website Content

Articles

Forums

All Feeds

Write For Us Get Paid

Request Media Kit

Site Map

Privacy Policy
Support

USERNAME

PASSWORD

>>> SIGN UP!

Lost Password?

SECURITY

RSS

Safeguarding the Identity and Integrity of XML Messages

By: Sams Publishing	Search For More Articles! Disclaimer Author Terms
Rating: / 6
2004-09-09

Table of Contents:

Safeguarding the Identity and Integrity of XML Messages

XML Signature Fundamentals

XML Signature Structure

Types of XML Signatures

The Signature Element Schema

XML Signature Processing

XML Signature Validation

The XML Signature Elements

Canonicalization Actions from Canonical XML Version 1.0

The SignatureMethod Element

The Reference Element

The Transform Element

XPath Filtering Transform

Enveloped Signature Transform

XPath Filter 2.0 Transform

The DigestMethod Element

The Object Element

The Manifest Element

The KeyInfo Element

Security Strategies for XML Signature

Summary

	ADD THIS ARTICLE TO:
	Del.ici.ous	Digg
	Blink	Simpy
	Google	Spurl
	Y! MyWeb	Furl

Email Me Similar Content When Posted

Add Developer Shed Article Feed To Your Site

Email Article To Friend

Print Version Of Article

PDF Version Of Article

ADVERTISEMENT

Route your faxes to your email inbox. Private, secure fax numbers available from CallWave. Choose your fax number.

Safeguarding the Identity and Integrity of XML Messages - XPath Filter 2.0 Transform
(Page 15 of 21 )

The XPath Filter 1.0 Transform described in the preceding section allows for any type of XPath expression to be used. The underlying usage for XPath Filter 1.0 is often either to explicitly include some fragment of a document to be signed or to explicitly exclude some part of the document that could legitimately change without breaking the signature of the document. For example, say you want to have two signatures that are not co-signatures (one signature does not include the other). To do this, you would use an XPath statement to exclude the other signatures (and the Enveloped Signature Transform to exclude the current signature). These are "set" type functions that often require fairly complex XPath statements to accomplish. The XPath Filter 2.0 Transform adds the capability to shortcut these common types of XPath statements by specifying intersection, union, and subtraction. For example, to remove another signature, you would use the following XPath 2.0 filter:

<XPath Filter="subtract" xmlns="http://www.w3.org/2002/06/xmldsig-filter2"> id("TheOtherSignature")
</XPath>

On the other hand, if the goal is to sign the other signature, such as when a counter-signature is desired, you might use the following:

<XPath Filter="intersect" xmlns="http://www.w3.org/2002/06/xmldsig-filter2"> id("TheOtherSignature")
</XPath>

Using these intersect, subtract, and union set operations can be cleaner than using the equivalent XPath statements, and it is also possible for the Signature processor to work more efficiently. You can find an excellent example of the XPath Filter 2.0 Transform using the three set operators at the following location:

http://www.w3.org/TR/xmldsig-filter2/#sec-Examples

The Reference URI when using the XPath Filter 2.0 Transform must be an XML document. Often, it is the current document URI (URI="" without comments or URI="#xpointer[/]" with comments). This Transform takes in and returns an XML nodeset.

This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.
Buy this book now.

Next: The DigestMethod Element >>

More Security Articles
More By Sams Publishing

Comments On: Safeguarding the Identity and Integrity of XML Messages

>>> Be the FIRST to comment on this article!

SECURITY ARTICLES

- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II
- What’s behind the curtain? Part I
- Vectors
- PKI: Looking at the Risks
- A Quick Look at Cross Site Scripting
- PKI Architectures: How to Choose One
- Trust, Access Control, and Rights for Web Se...
- Basic Concepts of Web Services Security
- Safeguarding the Identity and Integrity of X...
Find More Security Articles

Accelerating Trading Partner Performance

Competing on Analytics

Cost Effective Scaling with Virtualization and Coyote Point Systems

Five Checkpoints to Implementing IP Telephony

Hosted Email Security: Staying Ahead of New Threats