332

Message Level Web Service Security

signing, and so forth as they apply at the message level. For those who want to

explore these emerging standards on their own, here is a partial list of the more

significant JSRs and specifications:

  JSR 105 XML Digital Signatures for signing an XML document. It also in 

cludes procedures for computing and verifying signatures.

  JSR 106 XML Digital Encryption for encrypting parts of an XML document.

  JSR 155 Web Services Security Assertions, which is based on Security and 

Assertions Markup Language (SAML), is used for exchanging authentication 

and authorization information for XML documents.

  JSR 183 Web Services Message Security Java APIs, which enable applica 

tions to construct secure SOAP message exchanges.

Let's look at how to apply message level security mechanisms to build and

send a SOAP message with some message level security. For example, let's

examine how message level security APIs might put an XML digital signature on

a purchase order document. A client first embeds the digital signature into the

XML message, signing the message before sending it. The signature, which is an

X.509 certificate, is embedded into the purchase order XML document along with

other information. Code Example 7.14 shows the message header for this pur 

chase order XML document with the embedded digital signature, per the XML

Digital Signature specification. This code example is derived from the OASIS

Web Service Security: SOAP Message Security, Working Draft 17

 document. See

http:www.oasis open.org/committees/documents.php

.