Web Services security examples
This topic illustrates several common security scenarios.
Authenticating with a username token
The following example illustrates the sending of a message level username/password token (a username token), where the user name is John and the password is 1234.
web_service_set_security( SECURITY_TOKEN, "Type=USERNAME","LogicalName=myToken", "UserName=John", "Password=1234", "PasswordOptions=SendPlainText", "Add=True", LAST);
Signing a specific element with an X.509 certificate
It is possible to sign only a specific element in a message. The following example signs a specific element using an XPATH expression:
web_service_set_security( SECURITY_TOKEN, "Type=X509","LogicalName=myCert", "StoreName=My", "IDType=SubjectName", "IDValue=CN=myCert", "StoreLocation=CurrentUser", "Add=True", MESSAGE_SIGNATURE, "UseToken=myCert", "TargetPath=//*[local-name(.)='someElement' and namespace-uri(.)='http://myNamespace']", LAST);
Signing with an X.509 certificate
The following example shows a script using an X.509 certificate for a digital signature.
web_service_set_security( SECURITY_TOKEN, "Type=X509","LogicalName=myCert", "StoreName=My", "IDType=SubjectName", "IDValue=CN=myCert", "StoreLocation=CurrentUser", "Add=True", MESSAGE_SIGNATURE, "UseToken=myCert", LAST);
Note: The certificate needs to be installed in the Windows certificate store. In the example above, you need to set the actual store name, store location, and subject name of your certificate.
Encrypting with a certificate
The following sample encrypts a message with the service's X.509 certificate.
web_service_set_security( SECURITY_TOKEN, "Type=X509","LogicalName=serviceCert", "StoreName=My", "IDType=SubjectName", "IDValue=CN=serviceCert", "StoreLocation=CurrentUser", "Add=False", ENCRYPTED_DATA, "UseToken=serviceCert", LAST);
After you specify the details of your X.509 certificate, you can encrypt a specific XPATH in the message.
To generate a Subject Key Identifier, set the Add value to False.
Authenticating with a username token and encrypting with an X.509 certificate
The following example sends a username token to the service and encrypts it with the server's X.509 certificate:
web_service_set_security( SECURITY_TOKEN, "Type=X509","LogicalName=serviceCert", "StoreName=My", "IDType=SubjectName", "IDValue=CN=serviceCert", "StoreLocation=CurrentUser", "Add=True", SECURITY_TOKEN, "Type=USERNAME","LogicalName=myUser", "UserName=John", "Password=1234", "PasswordOptions=SendPlainText", "Add=True", ENCRYPTED_DATA, "UseToken=serviceCert", "TargetToken=myUser", LAST);
The UseToken and TargetToken properties indicate which token to use and which to encrypt. Their values reference the LogicalName property of the tokens.
Encrypting and signing a message
This example shows how to sign a message using a private key and then encrypt it using the service's public key.
web_service_set_security( SECURITY_TOKEN, "Type=X509","LogicalName=myCert", "StoreName=My", "IDType=SubjectName", "IDValue=CN=myCert", "StoreLocation=CurrentUser", "Add=True", SECURITY_TOKEN, "Type=X509","LogicalName=serverToken", "StoreName=My", "IDType=SubjectName", "IDValue=CN=serverCert", "StoreLocation=CurrentUser", "Add=False", MESSAGE_SIGNATURE, "UseToken=myCert", ENCRYPTED_DATA, "UseToken=serverCert", LAST);
Referencing an X.509 certificate using a hash
In certain cases, you may be unable to reference a certificate with a subject name. This example shows how to reference the certificate using its unique hash.
web_service_set_security( SECURITY_TOKEN, "Type=X509","LogicalName=serviceCert", "StoreName=My", "IDType=Base64KeyID", "IDValue=pOl0+1iuotKLlO91nhjDg5reEw0=", "StoreLocation=CurrentUser", "Add=False", ENCRYPTED_DATA, "UseToken=serviceCert", LAST);
