Web Services Security (WS-Security, WSS) is an extension to SOAP to apply security to Web services. It is a member of the Web service specifications and was published by OASIS.

The protocol specifies how integrity and confidentiality can be enforced on messages and allows the communication of various security token formats, such as Security Assertion Markup Language (SAML), Kerberos, and X.509. Its main focus is the use of XML Signature and XML Encryption to provide end-to-end security.

WS-Security describes three main mechanisms:

  • How to sign SOAP messages to assure integrity. Signed messages also provide non-repudiation.
  • How to encrypt SOAP messages to assure confidentiality.
  • How to attach security tokens to ascertain the sender's identity.
  • The specification allows a variety of signature formats, encryption algorithms and multiple trust domains, and is open to various security token models, such as:
    • X.509 certificates,
    • Kerberos tickets,
    • User ID/Password credentials,
    • SAML Assertions, and
    • custom-defined tokens.
    • The token formats and semantics are defined in the associated profile documents.

WS-Security incorporates security features in the header of a SOAP message, working in the application layer.

These mechanisms by themselves do not provide a complete security solution for Web services. Instead, this specification is a building block that can be used in conjunction with other Web service extensions and higher-level application-specific protocols to accommodate a wide variety of security models and security technologies. In general, WSS by itself does not provide any guarantee of security. When implementing and using the framework and syntax, it is up to the implementor to ensure that the result is not vulnerable.

Key management, trust bootstrapping, federation and agreement on the technical details (ciphers, formats, algorithms) is outside the scope of WS-Security.

You can use an online validation service here

1 Configure WS-Security

WS-Security can be configured as an XMLDSig object. You can select the digestMethod, the signatureMethod and the canonicalizationMethod.

1.1 Select Digest method

TO DO

This section is incomplete and will be concluded as soon as possible.

1.2 Select Signature method

TO DO

This section is incomplete and will be concluded as soon as possible.

1.3 Select Canonicalization method

TO DO

This section is incomplete and will be concluded as soon as possible.

2 Signing a SOAP envelope

The following examples takes a SOAP Envelope, parses it into a org.w3c.document and signs it using WS-Security.

Copy 
<script>
    // Load a keystore
    var ks = new Ax.ks.KeyStoreManager("https://bitbucket.org/deister/axional-docs-resources/raw/master/KeyStores/swview/jks-files/jack.jks", "secret");
    
    
    // Load an XML document
    var src = `
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
    <env:Header>
    </env:Header>
    <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body">
        <rpn:LookupRPNRequest xmlns:rpn="http://www.ros.ie/schemas/paye-employers/v1/rpn/">
            <rpn:EmployerRegistrationNumber>8001259UH</rpn:EmployerRegistrationNumber>
            <rpn:SoftwareUsed>
            <rpn:Name>SOAP UI</rpn:Name>
            <rpn:Version>1</rpn:Version>
            </rpn:SoftwareUsed>
            <rpn:TaxYear>2019</rpn:TaxYear>
        </rpn:LookupRPNRequest>
    </env:Body>
</env:Envelope>
`;

    var xml = new Ax.xml.DocumentBuilderFactory()
        .setNamespaceAware(true)
        .parse(src);
    
    var dsig = new Ax.crypt.WSSecurity(xml);

    // Expires in seconds (30 days)
    dsig.setExpires(24 * 60 * 60 * 30);
    
    // Sign the document using keystore provate key alias "jack" with password "moon"
    var tmp = dsig.sign(ks, "jack", "moon");   
    console.log(tmp);

</script>

Do not touch this XML because then invalidates de signature

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
    <env:Header>
    <wsse:Security xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509Token">MIIC9jCCAl+gAwIBAgIJAParOnPwEkKlMA0GCSqGSIb3DQEBBQUAMIGKMQswCQYDVQQGEwJMSzEQMA4GA1UECBMHV2VzdGVybjEQMA4GA1UEBxMHQ29sb21ibzEWMBQGA1UEChMNU29mdHdhcmUgVmlldzERMA8GA1UECxMIVHJhaW5pbmcxLDAqBgNVBAMTI1NvZnR3YXJlIFZpZXcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDcxMDA2MzMxOFoXDTI0MDMxODA2MzMxOFowcjELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xFjAUBgNVBAoTDVNvZnR3YXJlIFZpZXcxETAPBgNVBAsTCFRyYWluaW5nMRQwEgYDVQQDEwtKYWNrIERhbmllbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqAIsXru2kWzNXidrgyapDb7GdmhUwNFx1rOimDyu2RrJN9sIv0Zi2B0Kp1xSQiBPWabXbtt3wB1LzS2P19tMC+MW7BTYz0mRg4n9vSoa+mTJ3Ea6/v4W97a701BSEOlTxysVltqgO+D3gD9uNVpjiCNjXP3FlXrw44aDnXwme3sCAwEAAaN7MHkwCQYDVR0TBAIwADAdBgNVHQ4EFgQUDp+pbeXQHmYiubDctF8b+C4g6V0wHwYDVR0jBBgwFoAU1rdiaEM7sE7BtSqZhTWT9Tqn9RQwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4GBACcLqPwC9cATSqe+Kes5r6kcgo8eN3QME+HVSQocFSaRVrZ8iOrl0NAXway2JOGdjIFCn2gU4NAkrDAzjJ1AlwrfCT/1FDL5hu4BTdY13ZpwBf5MU6LB6x2tc+Jbo4bQrskEEIfGpOcyuB/wBJtJQeONjLuY2ouX9pvaaHj2cpzS</wsse:BinarySecurityToken>
<wsu:Timestamp wsu:Id="TS">
<wsu:Created>2019-11-26T12:48:51.372Z</wsu:Created>
<wsu:Expires>2019-12-26T12:48:51.372Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#Body"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>j2VdBPtWZDg9uDJKcCKzBdjPCqmwUgPTiAnYJkhwOu4=</ds:DigestValue></ds:Reference><ds:Reference URI="#TS"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>+QD7Hf1SoHvlG4ze4kznsUcQ0SPNnYq5HUjVOHa4nh8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>PP6tz29TCO2EiWHheD2tJTIJre8C+FswrA3haBiBASm52aLN/g77AaolJgjwuju5V9wBKvTwe5xB&#13;
PMPB9C7snTRf6XrHivvwPNLr2ylzV/JBhIBFO6zo7AcwWuxqIdUbathJcOBfFkPtXvAgQ9MpLY33&#13;
gOuhJSRF1AUAoVDKKFg=</ds:SignatureValue><ds:KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#X509Token"/>
</wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security>
</env:Header>
    <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body">
        <LookupRPNRequest>
            <EmployerRegistrationNumber>8001259UH</EmployerRegistrationNumber>
        </LookupRPNRequest>
    </env:Body>
</env:Envelope>