XML encryption and digital signature Web services security - Yash-777/Axis1x_Soap GitHub Wiki

Web Service Security (BinarySecurityToken for WS-Security)

WS-Security standards are implemented in non-XML frameworks at the transport level, and in XML frameworks at the application level.

Authentication: user's identity Verifying that the user is who she claims to be. A user's identity is verified based on the credentials presented by that user Eg: ATM Syatem: ATM User requests system with his Card Details and Pin.

Authorization (or Access Control): Granting access to specific resources based on an authenticated user's entitlements. Entitlements are defined by one or several attributes. An attribute is the property or characteristic of a user, for example, if "Marc" is the user, "conference speaker" is the attribute.

Digitally signing: Integrity, non repudiation Making sure that a message remains unaltered during transit by having the sender digitally sign the message. A digital signature is used to validate the signature and provides non-repudiation. The timestamp in the signature prevents anyone from replaying this message after the expiration.

Encryption:Confidentiality, privacy—Keeping information secret Accesses a message, for example a Web service request or an email, as well as the identity of the sending and receiving parties in a confidential manner. Confidentiality and privacy can be achieved by encrypting the content of a message and obfuscating the sending and receiving parties' identities.

All communication tasks that are ensured by the communication portal WAS are divided into 2 groups on the basis of processing: The exchange of data between your system and the external system, which runs either through the HTTPs or the SMTP channel.

  • Synchronous communication : Same keys used for Signing and Encryption
  • Asynchronous communication: Exchange Keys for Signing and Encryption

In an asymmetric cipher model, the receiving party's public key is used to encrypt plaintext, and the receiving party's matching private key is used to decrypt the ciphertext.
Also, a private key is used to create a digital signature by signing the message, and the public key is used for verifying the signature. Public-key certificates (or certificates, for short) are used to guarantee the integrity of public keys.

PeopleSoft WS-Security

WSRP involves passing SOAP messages between the WSRP consumer and producer. To safely use WSRP, Oracle provides message-level security between the consumer and the producer by incorporating WS-Security.

WS-Security is an extension to the concept of the SOAP envelope header that enables applications to construct secure SOAP message exchanges. It also provides a means for associating security tokens with messages.

WS-Security provides three main mechanisms:

  • Integration solution between the WSRP consumer and producer: The consumer passes their identification to the producer as part of the SOAP message so that the producer can verify the identity and produce WSRP content without requiring the user to sign in.
  • Message integrity: Ensures that messages have not been tampered with.
  • Message confidentiality: Guarantees that messages are protected.

Image: WS-Security SOAP message structure

This diagram shows the SOAP envelope, SOAP header, and SOAP body(Body Message/Business Payload) and how WS-Security embeds the security token in the SOAP messages:

https://www.digikey.com/en/articles/providing-peace-of-mind-in-the-wireless-iiot-world

Digital Signature Verifying

https://www.soapui.org/docs/soapui-projects/ws-security/

⚠️ **GitHub.com Fallback** ⚠️