1. 未使用WSE时的SOAP消息。
<
soap:Envelope
...
>
< soap:Body >
< HelloWorld xmlns ="http://tempuri.org/" />
</ soap:Body >
</ soap:Envelope >
< soap:Body >
< HelloWorld xmlns ="http://tempuri.org/" />
</ soap:Body >
</ soap:Envelope >
2. 启用WSE,使用UsernameToken,但不启用WS-Security 1.1 Extensions(UsernameOverTransportAssertion)。
SOAP消息如下:
<
soap:Envelope
...
>
< soap:Header >
< wsa:Action > http://tempuri.org/HelloWorld </ wsa:Action >
< wsa:MessageID > urn:uuid:b637fb86-8712-4845-a71c-8f91320168ac </ wsa:MessageID >
< wsa:ReplyTo >
< wsa:Address > http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous </ wsa:Address >
</ wsa:ReplyTo >
< wsa:To > http://.../WSEServer/MyService.asmx </ wsa:To >
< wsse:Security soap:mustUnderstand ="1" >
< wsu:Timestamp wsu:Id ="Timestamp-72b13f43-5c2e-46ea-81cb-dbc0f99b3605" >
< wsu:Created > 2007-03-15T04:47:47Z </ wsu:Created >
< wsu:Expires > 2007-03-15T04:52:47Z </ wsu:Expires >
</ wsu:Timestamp >
< wsse:UsernameToken xmlns:wsu ="......" wsu:Id ="SecurityToken-a2526d47-d01b-476c-a15b-b7f84e55181d" >
< wsse:Username > Administrator </ wsse:Username >
< wsse:Password Type ="......" > 5W0xOMVVDnlCRwclYMszo9ZEwOs= </ wsse:Password >
< wsse:Nonce > ttsA3uaB4KqBa2Vrcd7X8A== </ wsse:Nonce >
< wsu:Created > 2007-03-15T04:47:47Z </ wsu:Created >
</ wsse:UsernameToken >
</ wsse:Security >
</ soap:Header >
< soap:Body >
< HelloWorld xmlns ="http://tempuri.org/" />
</ soap:Body >
</ soap:Envelope >
wsa:的节点是WS-Addressing内容,wsse:Security节点里面就是WSE安全性扩展的内容了,包括了UsernameToken认证信息,密码经过了加密处理。WS-Addressing可参考:
WS-Addressing 从理论到实践。
< soap:Header >
< wsa:Action > http://tempuri.org/HelloWorld </ wsa:Action >
< wsa:MessageID > urn:uuid:b637fb86-8712-4845-a71c-8f91320168ac </ wsa:MessageID >
< wsa:ReplyTo >
< wsa:Address > http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous </ wsa:Address >
</ wsa:ReplyTo >
< wsa:To > http://.../WSEServer/MyService.asmx </ wsa:To >
< wsse:Security soap:mustUnderstand ="1" >
< wsu:Timestamp wsu:Id ="Timestamp-72b13f43-5c2e-46ea-81cb-dbc0f99b3605" >
< wsu:Created > 2007-03-15T04:47:47Z </ wsu:Created >
< wsu:Expires > 2007-03-15T04:52:47Z </ wsu:Expires >
</ wsu:Timestamp >
< wsse:UsernameToken xmlns:wsu ="......" wsu:Id ="SecurityToken-a2526d47-d01b-476c-a15b-b7f84e55181d" >
< wsse:Username > Administrator </ wsse:Username >
< wsse:Password Type ="......" > 5W0xOMVVDnlCRwclYMszo9ZEwOs= </ wsse:Password >
< wsse:Nonce > ttsA3uaB4KqBa2Vrcd7X8A== </ wsse:Nonce >
< wsu:Created > 2007-03-15T04:47:47Z </ wsu:Created >
</ wsse:UsernameToken >
</ wsse:Security >
</ soap:Header >
< soap:Body >
< HelloWorld xmlns ="http://tempuri.org/" />
</ soap:Body >
</ soap:Envelope >
3. 在WS-Security 1.1扩展中选择Sign-Only选项(UsernameForCertificateAssertion)。
![](https://www.cnblogs.com/Images/OutliningIndicators/ContractedBlock.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
<
soap:Envelope
...
>
< soap:Header >
< wsa:Action wsu:Id ="Id-7b15dc35-0eb2-4df7-890c-79b3e3b70917" > http://tempuri.org/HelloWorld </ wsa:Action >
< wsa:MessageID wsu:Id ="Id-3867fb2e-3f70-4ab8-9c71-1051104fc7e5" > urn:uuid:... </ wsa:MessageID >
< wsa:ReplyTo wsu:Id ="Id-b7e40812-850d-4de6-b2a1-511a8661c526" > ... </ wsa:ReplyTo >
< wsa:To wsu:Id ="Id-6528e50b-b801-487d-bce8-8d016064490e" > http://.../WSEServer/MyService.asmx </ wsa:To >
< wsse:Security soap:mustUnderstand ="1" >
< wsu:Timestamp wsu:Id ="Timestamp-a74f13f4-f22a-4891-9f6c-305453df2170" > ... </ wsu:Timestamp >
< xenc:EncryptedKey Id ="SecurityToken-6154d45b-e47f-4ee2-bc30-c70c655ecca0" xmlns:xenc ="..." >
< xenc:EncryptionMethod Algorithm ="..." >
< ds:DigestMethod ... />
</ xenc:EncryptionMethod >
< KeyInfo xmlns ="..." >
< wsse:SecurityTokenReference >
< wsse:KeyIdentifier ValueType ="..." EncodingType ="..." > RRQNS/KyeQtEHDwaaEgaymxsxpo= </ wsse:KeyIdentifier >
</ wsse:SecurityTokenReference >
</ KeyInfo >
< xenc:CipherData >
< xenc:CipherValue > ... </ xenc:CipherValue >
</ xenc:CipherData >
</ xenc:EncryptedKey >
<!-- 派生密匙1 -->
< wssc:DerivedKeyToken wsu:Id ="SecurityToken-1bcf5e7d-34ad-429d-93f5-d2818446418e" ... >
< wsse:SecurityTokenReference >
< wsse:Reference URI ="#SecurityToken-6154d45b-e47f-4ee2-bc30-c70c655ecca0" ... />
</ wsse:SecurityTokenReference >
< wssc:Generation > 0 </ wssc:Generation >
< wssc:Length > 32 </ wssc:Length >
< wssc:Label > WS-SecureConversationWS-SecureConversation </ wssc:Label >
< wssc:Nonce > SetU9IzX1rRSG0jTjtBZMw== </ wssc:Nonce >
</ wssc:DerivedKeyToken >
< xenc:ReferenceList xmlns:xenc ="..." > ... </ xenc:ReferenceList >
< xenc:EncryptedData Id ="Enc-b1232155-f376-4ff7-9521-6f66e8a2acc7" type= "http://www.w3.org/2001/04/xmlenc#Element" ...>
< xenc:EncryptionMethod Algorithm ="..." />
<!-- 使用派生密匙1加密 -->
< KeyInfo xmlns ="..." >
< wsse:SecurityTokenReference >
< wsse:Reference URI ="#SecurityToken-1bcf5e7d-34ad-429d-93f5-d2818446418e" ValueType ="..." />
</ wsse:SecurityTokenReference >
</ KeyInfo >
< xenc:CipherData >
< xenc:CipherValue > ... </ xenc:CipherValue >
</ xenc:CipherData >
</ xenc:EncryptedData >
<!-- 派生密匙2 -->
< wssc:DerivedKeyToken wsu:Id ="SecurityToken-7b9ff86e-8d7d-430a-ac0b-1a330d036d1c" ... > ... </ wssc:DerivedKeyToken >
< Signature xmlns ="..." >
< SignedInfo >
< ds:CanonicalizationMethod ... />
< SignatureMethod Algorithm ="..." />
< Reference URI ="#SecurityToken-b25e7443-682b-479b-be6f-dd61c9f38e82" > ... </ Reference >
< Reference URI ="#Id-7b15dc35-0eb2-4df7-890c-79b3e3b70917" > ... </ Reference >
< Reference URI ="#Id-3867fb2e-3f70-4ab8-9c71-1051104fc7e5" > ... </ Reference >
< Reference URI ="#Id-b7e40812-850d-4de6-b2a1-511a8661c526" > ... </ Reference >
< Reference URI ="#Id-6528e50b-b801-487d-bce8-8d016064490e" > ... </ Reference >
< Reference URI ="#Timestamp-a74f13f4-f22a-4891-9f6c-305453df2170" > ... </ Reference >
< Reference URI ="#Id-657b476d-f5a5-4d60-9476-9ae7087caad6" > ... </ Reference >
</ SignedInfo >
< SignatureValue > xL7BlslQN8GrE3E9IPaSzoMcu5Y= </ SignatureValue >
< KeyInfo >
<!-- 使用派生密匙2签名 -->
< wsse:SecurityTokenReference >
< wsse:Reference URI ="#SecurityToken-7b9ff86e-8d7d-430a-ac0b-1a330d036d1c" ValueType ="..." />
</ wsse:SecurityTokenReference >
</ KeyInfo >
</ Signature >
</ wsse:Security >
</ soap:Header >
< soap:Body wsu:Id ="Id-657b476d-f5a5-4d60-9476-9ae7087caad6" >
< HelloWorld xmlns ="http://tempuri.org/" />
</ soap:Body >
</ soap:Envelope >
大致看一下这段SOAP消息的含义:
< soap:Header >
< wsa:Action wsu:Id ="Id-7b15dc35-0eb2-4df7-890c-79b3e3b70917" > http://tempuri.org/HelloWorld </ wsa:Action >
< wsa:MessageID wsu:Id ="Id-3867fb2e-3f70-4ab8-9c71-1051104fc7e5" > urn:uuid:... </ wsa:MessageID >
< wsa:ReplyTo wsu:Id ="Id-b7e40812-850d-4de6-b2a1-511a8661c526" > ... </ wsa:ReplyTo >
< wsa:To wsu:Id ="Id-6528e50b-b801-487d-bce8-8d016064490e" > http://.../WSEServer/MyService.asmx </ wsa:To >
< wsse:Security soap:mustUnderstand ="1" >
< wsu:Timestamp wsu:Id ="Timestamp-a74f13f4-f22a-4891-9f6c-305453df2170" > ... </ wsu:Timestamp >
< xenc:EncryptedKey Id ="SecurityToken-6154d45b-e47f-4ee2-bc30-c70c655ecca0" xmlns:xenc ="..." >
< xenc:EncryptionMethod Algorithm ="..." >
< ds:DigestMethod ... />
</ xenc:EncryptionMethod >
< KeyInfo xmlns ="..." >
< wsse:SecurityTokenReference >
< wsse:KeyIdentifier ValueType ="..." EncodingType ="..." > RRQNS/KyeQtEHDwaaEgaymxsxpo= </ wsse:KeyIdentifier >
</ wsse:SecurityTokenReference >
</ KeyInfo >
< xenc:CipherData >
< xenc:CipherValue > ... </ xenc:CipherValue >
</ xenc:CipherData >
</ xenc:EncryptedKey >
<!-- 派生密匙1 -->
< wssc:DerivedKeyToken wsu:Id ="SecurityToken-1bcf5e7d-34ad-429d-93f5-d2818446418e" ... >
< wsse:SecurityTokenReference >
< wsse:Reference URI ="#SecurityToken-6154d45b-e47f-4ee2-bc30-c70c655ecca0" ... />
</ wsse:SecurityTokenReference >
< wssc:Generation > 0 </ wssc:Generation >
< wssc:Length > 32 </ wssc:Length >
< wssc:Label > WS-SecureConversationWS-SecureConversation </ wssc:Label >
< wssc:Nonce > SetU9IzX1rRSG0jTjtBZMw== </ wssc:Nonce >
</ wssc:DerivedKeyToken >
< xenc:ReferenceList xmlns:xenc ="..." > ... </ xenc:ReferenceList >
< xenc:EncryptedData Id ="Enc-b1232155-f376-4ff7-9521-6f66e8a2acc7" type= "http://www.w3.org/2001/04/xmlenc#Element" ...>
< xenc:EncryptionMethod Algorithm ="..." />
<!-- 使用派生密匙1加密 -->
< KeyInfo xmlns ="..." >
< wsse:SecurityTokenReference >
< wsse:Reference URI ="#SecurityToken-1bcf5e7d-34ad-429d-93f5-d2818446418e" ValueType ="..." />
</ wsse:SecurityTokenReference >
</ KeyInfo >
< xenc:CipherData >
< xenc:CipherValue > ... </ xenc:CipherValue >
</ xenc:CipherData >
</ xenc:EncryptedData >
<!-- 派生密匙2 -->
< wssc:DerivedKeyToken wsu:Id ="SecurityToken-7b9ff86e-8d7d-430a-ac0b-1a330d036d1c" ... > ... </ wssc:DerivedKeyToken >
< Signature xmlns ="..." >
< SignedInfo >
< ds:CanonicalizationMethod ... />
< SignatureMethod Algorithm ="..." />
< Reference URI ="#SecurityToken-b25e7443-682b-479b-be6f-dd61c9f38e82" > ... </ Reference >
< Reference URI ="#Id-7b15dc35-0eb2-4df7-890c-79b3e3b70917" > ... </ Reference >
< Reference URI ="#Id-3867fb2e-3f70-4ab8-9c71-1051104fc7e5" > ... </ Reference >
< Reference URI ="#Id-b7e40812-850d-4de6-b2a1-511a8661c526" > ... </ Reference >
< Reference URI ="#Id-6528e50b-b801-487d-bce8-8d016064490e" > ... </ Reference >
< Reference URI ="#Timestamp-a74f13f4-f22a-4891-9f6c-305453df2170" > ... </ Reference >
< Reference URI ="#Id-657b476d-f5a5-4d60-9476-9ae7087caad6" > ... </ Reference >
</ SignedInfo >
< SignatureValue > xL7BlslQN8GrE3E9IPaSzoMcu5Y= </ SignatureValue >
< KeyInfo >
<!-- 使用派生密匙2签名 -->
< wsse:SecurityTokenReference >
< wsse:Reference URI ="#SecurityToken-7b9ff86e-8d7d-430a-ac0b-1a330d036d1c" ValueType ="..." />
</ wsse:SecurityTokenReference >
</ KeyInfo >
</ Signature >
</ wsse:Security >
</ soap:Header >
< soap:Body wsu:Id ="Id-657b476d-f5a5-4d60-9476-9ae7087caad6" >
< HelloWorld xmlns ="http://tempuri.org/" />
</ soap:Body >
</ soap:Envelope >
a) xenc:EncryptedKey元素中是经过加密处理后UsernameToken中的用户密码,使用服务器端X.509证书的公匙加密。
b) 接下来可以看到有两个wssc:DerivedKeyToken元素,这是生成的两个派生密匙,关于派生密匙可以参考 Web服务安全对话语言 。
wssc:DerivedKeyToken/wsse:SecurityTokenReference/wsse:Reference元素的URI属性值是xenc:EncryptedKey的id,表明它对xenc:EncryptedKey元素的引用,从这个引用可以知道是从哪个密匙派生而来。通过URI属性引用其它资源,如果以符号#开始,表明是引用当前xml文档中id、wsu:id值相对应的元素。
c) xenc:EncryptedData元素。从xenc:EncryptedData元素的type属性可以看出它是对原SOAP消息中的一个xml元素进行了加密,是哪一个元素呢,就是类似步骤2中的那个wsse:UsernameToken元素,它包含用户名等安全认证信息。通过xenc:EncryptedData/KeyInfo里面的引用信息可以知道,这个元素是使用派生密匙1加密的。
d) Signature元素。可以参考: XML Signature。
从Signature/KeyInfo中的引用信息可以知道,使用了派生密码2进行签名。通过Signature/SignedInfo中的Reference列表可以知道,SOAP消息中的哪些元素被用来签名了。在前面完整的SOAP消息中你可能会发现,第一个Reference元素URI属性所指向的id在文档中不存在。在c)中提到xenc:EncryptedData元素对原SOAP文档的一个元素进行了加密,这个元素的id应当就是被第一个Reference引用的。
4. 在WS-Security 1.1扩展中选择Sign and Encrypt选项(UsernameForCertificateAssertion)。
在这个配置中,soap:Header和步骤3 Sign-Only配置时基本一样,区别是,步骤3的配置中soap:Body没有被加密,而选择Sign and Encrypt选项后soap:Body也是被加密的。如果基于步骤3的SOAP消息来看,soap:Body使用的派生密匙1进行加密。
soap:Body的xml如下:
<
soap:Body
wsu:Id
="Id-d964042a-68fe-4c48-a0e1-480863f0d4c5"
>
< xenc:EncryptedData Id ="Enc-146fe92b-0887-440a-a52d-58dce539f25e" ... >
< xenc:EncryptionMethod Algorithm ="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
< KeyInfo xmlns ="..." >
< wsse:SecurityTokenReference >
< wsse:Reference URI ="#SecurityToken-9682679a-876c-4096-992b-068dd5752d91" ValueType ="..." />
</ wsse:SecurityTokenReference >
</ KeyInfo >
< xenc:CipherData >
< xenc:CipherValue > ... </ xenc:CipherValue >
</ xenc:CipherData >
</ xenc:EncryptedData >
</ soap:Body >
< xenc:EncryptedData Id ="Enc-146fe92b-0887-440a-a52d-58dce539f25e" ... >
< xenc:EncryptionMethod Algorithm ="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
< KeyInfo xmlns ="..." >
< wsse:SecurityTokenReference >
< wsse:Reference URI ="#SecurityToken-9682679a-876c-4096-992b-068dd5752d91" ValueType ="..." />
</ wsse:SecurityTokenReference >
</ KeyInfo >
< xenc:CipherData >
< xenc:CipherValue > ... </ xenc:CipherValue >
</ xenc:CipherData >
</ xenc:EncryptedData >
</ soap:Body >