HomeSecurity Page 17 - Safeguarding the Identity and Integrity of XML Messages
XML Signature and XML Encryption, two of the three major pillars of the WS-Security standard, are so predominant in current thinking about Web Services Security that some people mistake them as the only strategy for securing Web services. This is really not the case at all. Read more in this chapter from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).
We have not talked much about the Object element, but when we described Enveloping Signatures, we were discussing a function that the Object element facilitates. In the case of an Enveloping Signature, the Reference URI points to an element within the Object element. We further describe this use of the Object element later in the chapter.
The Object element is essentially an element in which you put miscellaneous items other than SignedInfo, SignatureValue, and KeyInfo. It is defined in a way that you can put anything you want into it; however, typically one of three things is included within an Object element:
Something you want signed, such as an XML fragment or perhaps a Base-64 encoded binary object. This is to implement the Enveloping Signature concept mentioned previously.
A Manifest element (described later).
A SignatureProperties element (described later).
Tip - Remember that none of these items are inherently signed and therefore secured by the XML Signature. For these elements to be signed, they must be referred to by one of the Reference URIs in the SignedInfo section of the signature.
Listing 4.25 uses an Object element in the Enveloping Signature scenario.
Listing 4.25An <Object> Element Used in the Enveloping Signature Scenario
<Signature> <SignedInfo> ... <Reference URI="#MyOrder" Type="http://www.w3.org/2000/09/xmldsig#Object"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>...</DigestValue> </Reference> </SignedInfo> ... <Object id="MyOrder"> <Order> <LineItem sku="12348">Web Service Security Book</LineItem> <LineItem sku="2345">Life as a Geek Book</LineItem> <Order> </Object> </Signature>
Note - In this example, the Object start and end tags would be included in the digest calculation for the Reference. If you do not want the Object tags to be included in the digest calculation, either
The Reference URI should point to the element below the Object tag that is to be signed.
An XPath statement should exclude the Object tag.
First, notice that the Reference URI points to an ID (MyOrder) of an Object element. Also, notice that a Type parameter is included in the Reference to provide information about what the Reference is pointing to. We deferred mentioning this point when describing the Reference element.
The following three Type attributes are mentioned in the XML Signature specification; they all relate to items that can be contained within an Object element or the Object element itself:
Object (Type="http://www.w3.org/2000/09/xmldsig#Object")—The reference is to an Object element.
Manifest (Type="http://www.w3.org/2000/09/xmldsig#Manifest")—The reference is to a Manifest element (see the Manifest Element section next in this chapter for more information on the Manifest element).
SignatureProperties (Type="http://www.w3.org/2000/09/ xmldsig#SignatureProperties")—The reference is to a SignatureProperties element (see the Signature Properties section later in this chapter for more information on SignatureProperties).
The Object element, when used in an Enveloped Signature scenario like this, can also have attributes for MimeType and Encoding. For example, if the enveloped item is a GIF image, your Object tag might look like this:
<Object id="MyGif" MimeType="image/gif" Encoding="base64"> ... a string of base64 characters ... </Object>
You can have as many Object elements as you want. You typically create a single Object tag for each use. So, for example, if you have a signed Object and you have SignatureProperties (which is always within an Object), you have two Object elements.
Now let's discuss the two optional children of the Object tag: Manifest and SignatureProperties.
This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.