The <Transform> element is an optional ordered list of processing steps to be applied to the resource's content before it is digested. Transforms can include operations such as canonicalization, encoding/decoding, XSLT, XPath, XML schema validation, or XInclude. The recommendation that discusses this method is the W3C XML-Signature Syntax and Processing recommendation, which can be viewed at http://www.w3.org/TR/xmldsig-core/#sec-Transforms. The following types of transform algorithms can be used: canonicalization, Base64, xpath filtering, envelope signature transform, and XSLT transform. TheXWS-Security APIs Sample Application provides some examples of configuration files that use this element.
strID Element content of the string identifier for thekeyIdenti- fier.
keyReferenceType
Indicates whether the token reference identifies a token by
AssertionId(Identifier) orby an embedded reference (Embedded). The default value isIdentifier.
type Indicates to use theSV type of SAML assertion. TheSV con-
firmed assertion is not contained in the message. (Required)
Table 4–25 Sub-elements of OptionalTargets
Sub-elements of
OptionalTargets Description
Target
Indicates that a security operation is allowed to be performed on this target, but it is not required. One or more of these ele- ments can be specified. The augmentedcid:* syntax is not allowed as the value of theTargetwhenTargetis a sub-ele- ment ofOptionalTargets.
Table 4–24 Attributes of RequireSAMLAssertion (Continued)
Attributes of
Table 4–26provides a description of its attributes,Table 4–27provides a description of its sub-elements.
AlgorithmParameter
Algorithms are identified by URIs that appear as an attribute to the element that identifies the algorithms' role (DigestMethod,Transform,SignatureMethod, orCanonical- izationMethod). All algorithms used herein take parameters but in many cases the parameters are implicit. Explicit additional parameters to an algorithm appear as content elements within the algorithm role element. Such parameter elements have a descriptive element name, which is frequently algorithm specific, and MUST be in the XML Signature namespace or an algorithm specific namespace. TheXWS-Security APIs Sample Applicationprovides some examples of configuration files that use this element.
Table 4–28 provides a description of its attributes.
Table 4–26 Attributes of Transform
Attributes of
Transform Description
algorithm The algorithm to be used for signing. (Required)
Table 4–27 Sub-elements of Transform
Sub-elements of
Transform Description
AlgorithmParameter Identifies the parameters to be supplied to the transform algo-
rithm.
Table 4–28 Attributes of AlgorithmParameter
Attributes of
AlgorithmParameter Description
X509Token
The<X509Token>element is used to specify the certificate to be used for encryp- tion (for the case of encryption) or the certificate corresponding to the private key used for signing (for the case of signature). This element must not be speci- fied if the <SymmetricKey> or <SAMLAssertion> sub-elements are present.Table 4–29
provides a description of its attributes.
value The value of the algorithm parameter. (Required)
Table 4–29 Attributes of X509Token
Attributes of
X509Token Description
id
The id to be assigned to this token in the message. This attribute is useful in referring the token from other places in the security configuration file. (Optional)
strID
If specified, it denotes thewsu:Id to be assigned to the Secu- rity Token Reference (STR) to be generated and inserted into the message. The inserted STR would reference the X509 token.
certificateAlias The alias associated with the token (certificate).
keyReferenceType
The reference mechanism to be used for referring to the X509 token (certificate) which was involved in the security opera- tion, in the outgoing messages. The default value isDirect. The list of allowed values for this attribute and their descrip- tion is as follows:
1.Direct - certificate is sent along with the message. 2.Identifier - subject key identifier extension value of the certificate is sent in the message.
3.IssuerSerialNumber - issuer name and serial number of the certificate are sent in the message.
Table 4–28 Attributes of AlgorithmParameter (Continued)
Attributes of
Target
Note: In this release theTargetsub-element is deprecated and is supported only for backward compatibility. The Target sub-element is being replaced withSignature- Target andEncryptionTarget.
The<Target>target_value</Target> sub-element contains a string that can be used to identify the resource that needs to be signed or encrypted. If aTarget
sub-element is not specified, the default value is a target that points to the con- tents of the SOAP body of the message. The value of this element is specified as a text node inside this element.
You can specify attachments as targets by setting the typeattribute touriand specifying the target value ascid:<part-name>, which specifies the value of the Content-ID (CID) header of the attachment. When the Content-ID is not know until runtime, such as when auto-generated CIDs are run under JAX-RPC, the attachment can be referenced by setting thetypeattribute touriand specifying the target value as attachmentRef:<part-name>, where part-name is the WSDL part name of the AttachmentPart. Auto-generated CIDs in JAX-RPC following the form <partname>=<UUID>@<Domain>. The special value cid:*
can be used to refer to all attachments of aSOAPMessage.
encodingType
The type of encoding to be used for the token. The default value ishttp://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-soap-message-security- 1.0#Base64Binary.
valueType
The type of value to expect. ThevalueTypecan be#X509v3,
#X509PKIPathv1, or#PKCS7. This release does not support
#PKCS7.
Table 4–29 Attributes of X509Token (Continued)
Attributes of
The attributes of the <Target> element are described inTable 4–30.
SignatureTarget
The <SignatureTarget>sub-element is called by the <SignatureMethod> ele- ment to identify the resource that needs to be signed. If neither the <Signature- Target> nor <Target> sub-element are specified, the default value is a target that points to the contents of the SOAP body of the message. The target value is a string that specifies the object to be signed, and which is specified between the
<SignatureTarget>target_value</SignatureTarget> elements. The XWS- Security APIs Sample Applicationprovides some examples of configuration files that use this element.
You can specify attachments as targets by setting thetypeattribute touri and specifying the target value ascid:<part-name>, which specifies the value of the Content-ID (CID) header of the attachment. When the Content-ID is not know until runtime, such as when auto-generated CIDs are run under JAX-RPC, the attachment can be referenced by setting thetypeattribute touriand specifying
Table 4–30 Attributes of Target
Attributes of Target Description
type
Indicates the type of the target value. Default value isqname. The list of allowed values for this attribute and their descrip- tion is as follows:
1.qname - If the target element has a local nameName and a namespace URIsome-uri, the target value is{some- uri}Name.
2.xpath - Indicates that the target value is the xpath of the target element.
3.uri - If the target element has an idsome-id, then the tar- get value is#some-id.
contentOnly
Indicates whether the complete element or only the contents needs to be encrypted (or is required to be encrypted). The default value istrue. (Relevant only for <Encrypt> and <RequireEncryption> targets)
enforce
Iftrue, indicates that the security operation on the target ele- ment is definitely required. Default value istrue. (Relevant only for <RequireSignature> and <RequireEncryption> tar- gets)
the target value as attachmentRef:<part-name>, where part-name is the WSDL part name of the AttachmentPart. Auto-generated CIDs in JAX-RPC following the form <partname>=<UUID>@<Domain>. The special value cid:*
can be used to refer to all attachments of aSOAPMessage.
The attributes of <SignatureTarget> are described in Table 4–31, its sub-ele-
ments are described inTable 4–32.
Table 4–31 Attributes of SignatureTarget
Attributes of
SignatureTarget Description
type
Indicates the type of the target value. Default value isqname. The list of allowed values for this attribute and their descrip- tion is as follows:
1.qname - If the target element has a local nameName and a namespace URIsome-uri, the target value is{some- uri}Name.
2.xpath - Indicates that the target value is the xpath of the target element.
3.uri - If the target element has an idsome-id, then the tar- get value is#some-id. This is the option that is used to secure message attachments.
value
Indicates whether the value needs to be encrypted (or is required to be encrypted). The default value istrue. (Rele- vant only for <Encrypt> and <RequireEncryption> targets)
enforce
Iftrue, indicates that the security operation on the target ele- ment is definitely required. Default value istrue. (Relevant only for <RequireSignature> and <RequireEncryption> tar- gets)
Table 4–32 Sub-elements of SignatureTarget
Sub-elements of
SignatureTarget Description
DigestMethod Identifies the digest algorithm to be applied for signing the
EncryptionTarget
The <EncryptionTarget>sub-element identifies the type of encrypted structure being described. If neither the <EncryptionTarget> nor <Target> sub-ele- ments are specified, the default value is a target that points to the contents of the SOAP body of the message. The target value is a string that specifies the object to be encrypted, and which is specified between the <EncryptionTar- get>target_value</EncryptionTarget> elements.
You can specify attachments as targets by setting thetypeattribute touri and specifying the target value ascid:<part-name>, which specifies the value of the Content-ID (CID) header of the attachment. When the Content-ID is not know until runtime, such as when auto-generated CIDs are run under JAX-RPC, the attachment can be referenced by setting thetypeattribute touriand specifying the target value as attachmentRef:<part-name>, where part-name is the WSDL part name of the AttachmentPart. Auto-generated CIDs in JAX-RPC following the form <partname>=<UUID>@<Domain>. The special value cid:*
can be used to refer to all attachments of aSOAPMessage.
Transform Identifies the transform algorithm to be applied before signing
the object.
Table 4–32 Sub-elements of SignatureTarget (Continued)
Sub-elements of
The attributes of <EncryptionTarget> are described in Table 4–33, its sub-ele- ments are described inTable 4–34.
Table 4–33 Attributes of EncryptionTarget
Attributes of
EncryptionTarget Description
type
Indicates the type of the target value. Default value isqname. The list of allowed values for this attribute and their descrip- tion is as follows:
1.qname - If the target element has a local nameName and a namespace URIsome-uri, the target value is{some- uri}Name.
2.xpath - Indicates that the target value is the xpath of the target element.
3.uri - If the target element has an idsome-id, then the tar- get value is#some-id. This option is used to secure message attachments.
contentOnly
Indicates whether the complete element or only the contents need to be encrypted (or is required to be encrypted). The default value istrue. (Relevant only for <Encrypt> and <RequireEncryption> targets)
value
Indicates whether the value needs to be encrypted (or is required to be encrypted). The default value istrue. (Required)
enforce
Iftrue, indicates that the security operation on the target ele- ment is definitely required. Default value istrue. (Relevant only for <RequireSignature> and <RequireEncryption> tar- gets)
Table 4–34 Sub-elements of EncryptionTarget
Sub-elements of
EncryptionTarget Description
Transform Identifies the transform algorithm to be applied to the object to
SymmetricKey
The <SymmetricKey> element indicates the symmetric key to be used for encryption. This element must not be specified if the <X509Token> or <SAMLAs- sertion> sub-elements are present. Its attributes are discussed inTable 4–35.
CanonicalizationMethod
The <CanonicalizationMethod> element specifies the canonicalization algo- rithm to be applied to the <SignedInfo> element prior to performing signature calculations. When specified, the canonical XML [XML-C14N] standard, which is an algorithm that standardizes the way XML documents should be ordered and structured, should be applied. The recommendation that discusses this method is the W3C XML-Signature Syntax and Processing recommendation, which can be viewed athttp://www.w3.org/TR/xmldsig-core/#sec-CanonicalizationMethod. Its attributes are discussed inTable 4–36.
Table 4–35 Attributes of SymmetricKey
Attributes of
SymmetricKey Description
keyAlias The alias of the symmetric key to be used for encryption. This
attribute is required.
Table 4–36 Attributes of CanonicalizationMethod
Attributes of
CanonicalizationMethod Description
algorithm
The algorithm to be used for signing. There is no default value. You must explicitly add
http://www.w3.org/2001/10/xml-exc-c14n#
to the transforms list in the configuration file if you want to use it. The prefix list is computed by the implementation and does not need to be specified in the configuration file. This transform will be added as the last transform regardless of its placement in the configuration file.
SignatureMethod
The <SignatureMethod> element specifies the algorithm used for signature generation and validation. ASignatureMethodis implicitly given two parame- ters: the keying info and the output of CanonicalizationMethod. The recom- mendation that discusses this method is the W3C XML-Signature Syntax and Processing recommendation, which can be viewed athttp://www.w3.org/TR/xmldsig- core/#sec-SignatureMethod. Its attributes are discussed inTable 4–37.
DigestMethod
The <DigestMethod> element specifies the algorithm used for generating the digest of the object to be signed. The recommendation that discusses this method is the W3C XML-Signature Syntax and Processing recommendation, which can be viewed at http://www.w3.org/TR/xmldsig-core/#sec-DigestMethod. The attributes of <DigestMethod> are discussed inTable 4–38.
DataEncryptionMethod
The <DataEncryptionMethod> element specifies the encryption algorithm to be applied to the cipher data. The recommendation that discusses this method is the W3C XML Encryption Syntax and Processing recommendation, which can be
Table 4–37 Attributes of SignatureMethod
Attributes of
SignatureMethod Description
algorithm The algorithm to be used for signing. The default value is http://www.w3.org/2000/09/xmldsig#rsa-sha1.
Table 4–38 Attributes of DigestMethod
Attributes of
DigestMethod Description
algorithm
Identifies the digest algorithm to be applied to the signed object. The default value is
viewed at http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/#sec-EncryptionMethod. The attributes of <DataEncryptionMethod> are discussed inTable 4–39.
Note: Although the schema indicates that http://www.w3.org/2001/04/ xmlenc#aes128-cbc is the default algorithm for <DataEncryptionMethod>, for backward compatibility this implementation still useshttp://www.w3.org/2001/ 04/xmlenc#tripledes-cbc as the default.
Table 4–39 Attributes of DataEncryptionMethod
Attributes of
DataEncryptionMethod Description
algorithm
The algorithm to be used for encrypting data. The default value is
"http://www.w3.org/2001/04/xmlenc#aes128-cbc"). Other options include:
"http://www.w3.org/2001/04/xmlenc#aes256-cbc"; and
"http://www.w3.org/2001/04/xmlenc#tripledes- cbc".
KeyEncryptionMethod
The <KeyEncryptionMethod> element specifies the public key encryption algo- rithm to be used for encrypting and decrypting keys. Its attributes are discussed inTable 4–40.
SecurityEnvironmentHandler
The <SecurityEnvironmentHandler> element specifies the implementation class name of the security environment handler. Read Writing SecurityEnvironmentHandlers
for more information onSecurityEnvironmentHandlers.