Web Services security examples

This topic illustrates several common security scenarios.

Authenticating with a username token

The following example illustrates the sending of a message level username/password token (a username token), where the user name is John and the password is 1234.

    web_service_set_security(
        SECURITY_TOKEN, "Type=USERNAME","LogicalName=myToken", "UserName=John", "Password=1234", "PasswordOptions=SendPlainText", "Add=True",
        LAST);

Signing a specific element with an X.509 certificate

It is possible to sign only a specific element in a message. The following example signs a specific element using an XPATH expression:

    web_service_set_security(
        SECURITY_TOKEN, "Type=X509","LogicalName=myCert", "StoreName=My", "IDType=SubjectName", "IDValue=CN=myCert", "StoreLocation=CurrentUser", "Add=True",
        MESSAGE_SIGNATURE, "UseToken=myCert", "TargetPath=//*[local-name(.)='someElement' and namespace-uri(.)='http://myNamespace']",
        LAST);

Signing with an X.509 certificate

The following example shows a script using an X.509 certificate for a digital signature.

    web_service_set_security(
        SECURITY_TOKEN, "Type=X509","LogicalName=myCert", "StoreName=My", "IDType=SubjectName", "IDValue=CN=myCert", "StoreLocation=CurrentUser", "Add=True",
        MESSAGE_SIGNATURE, "UseToken=myCert",
        LAST);

Note: The certificate needs to be installed in the Windows certificate store. In the example above, you need to set the actual store name, store location, and subject name of your certificate.

Encrypting with a certificate

The following sample encrypts a message with the service's X.509 certificate.

    web_service_set_security(
        SECURITY_TOKEN, "Type=X509","LogicalName=serviceCert", "StoreName=My", "IDType=SubjectName", "IDValue=CN=serviceCert", "StoreLocation=CurrentUser", "Add=False",        
        ENCRYPTED_DATA, "UseToken=serviceCert",
        LAST);

After you specify the details of your X.509 certificate, you can encrypt a specific XPATH in the message.

To generate a Subject Key Identifier, set the Add value to False.

Authenticating with a username token and encrypting with an X.509 certificate

The following example sends a username token to the service and encrypts it with the server's X.509 certificate:

web_service_set_security(
        SECURITY_TOKEN, "Type=X509","LogicalName=serviceCert", "StoreName=My", "IDType=SubjectName", "IDValue=CN=serviceCert", "StoreLocation=CurrentUser", "Add=True",
        SECURITY_TOKEN, "Type=USERNAME","LogicalName=myUser", "UserName=John", "Password=1234", "PasswordOptions=SendPlainText", "Add=True",
        ENCRYPTED_DATA, "UseToken=serviceCert", "TargetToken=myUser",
        LAST);

The UseToken and TargetToken properties indicate which token to use and which to encrypt. Their values reference the LogicalName property of the tokens.

Encrypting and signing a message

This example shows how to sign a message using a private key and then encrypt it using the service's public key.

web_service_set_security(
        SECURITY_TOKEN, "Type=X509","LogicalName=myCert", "StoreName=My", "IDType=SubjectName", "IDValue=CN=myCert", "StoreLocation=CurrentUser", "Add=True",
        SECURITY_TOKEN, "Type=X509","LogicalName=serverToken", "StoreName=My", "IDType=SubjectName", "IDValue=CN=serverCert", "StoreLocation=CurrentUser", "Add=False",
        MESSAGE_SIGNATURE, "UseToken=myCert",
        ENCRYPTED_DATA, "UseToken=serverCert",
    LAST);

Referencing an X.509 certificate using a hash

In certain cases, you may be unable to reference a certificate with a subject name. This example shows how to reference the certificate using its unique hash.

web_service_set_security(
   SECURITY_TOKEN, "Type=X509","LogicalName=serviceCert", "StoreName=My",    
   "IDType=Base64KeyID", "IDValue=pOl0+1iuotKLlO91nhjDg5reEw0=",    
   "StoreLocation=CurrentUser", "Add=False",
   ENCRYPTED_DATA, "UseToken=serviceCert",
 LAST);
Back to top