GXA Components: Security Example


This morning I wrote about The GXA security specifications. I took some time this evening to read through the the specification and thought and example might be helpful. This example is quoted from the specification:

(001) <?xml version="1.0" encoding="utf-8"?>
(002)    <S:Envelope 
                 xmlns:S="http://www.w3.org/2001/12/soap-envelope" 
                 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
(003)      <S:Header>
(004)       <wsse:Security 
                     xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/xx/secext"> 
(005)         <wsse:UsernameToken wsu:Id="MyID"> 
(006)          <wsse:Username>Zoe</wsse:Username>
(007)          <wsse:Nonce>FKJh...</wsse:Nonce> 
(008)          <wsu:Created>2001-10-13T09:00:00Z</wsu:Created> 
(009)         </wsse:UsernameToken> 
(010)         <ds:Signature> 
(011)           <ds:SignedInfo> 
(012)              <ds:CanonicalizationMethod 
                             Algorithm= 
                               "http://www.w3.org/2001/10/xml-exc-c14n#"/> 
(013)             <ds:SignatureMethod 
                             Algorithm= 
                               "http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> 
(014)             <ds:Reference URI="#MsgBody"> 
(015)             <ds:DigestMethod 
                            Algorithm= 
                              "http://www.w3.org/2000/09/xmldsig#sha1"/> 
(016)             <ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue> 
(017)           </ds:Reference> 
(018)         </ds:SignedInfo> 
(019)         <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> 
(020)         <ds:KeyInfo> 
(021)           <wsse:SecurityTokenReference> 
(022)           <wsse:Reference URI="#MyID"/> 
(023)           </wsse:SecurityTokenReference> 
(024)         </ds:KeyInfo> 
(025)      </ds:Signature> 
(026)    </wsse:Security>
(027)  </S:Header> 
(028)  <S:Body wsu:Id="MsgBody"> 
(029)   <tru:StockSymbol 
                xmlns:tru="http://fabrikam123.com/payloads">QQQ
           </tru:StockSymbol>
(030)  </S:Body>
(031) </S:Envelope>

There are a few things to remember as you look at the specification:

  1. The SOAP envelop has been extended to accomodate the security portions.
  2. The security standard makes use of XML Signature specification (ds namespace).
  3. The signature has to reference other elements of the message (e.g. what part the signature applies to) and uses the ID attribute in the wsu namespace to do this.

Deconstructing this example is fairly straightforward. The SOAP envelop header contains a single element: <wsse:Security...> which contains the UsernameToken and the digital signature information. The signature contains information about how the signature was computed, the reference to the message body (to indicate what portion the signature applies to), and the signature itself. Notice that the specification doesn't specify the method, it just allows it to be referenced so that both ends know what to do. If a better algorithm comes along next year, it can be used without any fuss. The final portion is the actual body of the message which, in this case, contains a stock symbol.

There's obviously much more to the spec than this simple example, but if you understand what's going on here, the rest is just options, alternatives, and details. Encrytion would be the similar, except it would reference the XML Excryption specification and some of the details would change. And, of course, the SOAP body would be gobbledygook.