blob: fd5d4a0fd35f08f9da3aa8717e68e4ee54310e74 [file] [log] [blame]
<?xml version="1.0" encoding="ISO-8859-1"?>
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.
<section name="Securing message attachments">
WSS4J 2.0.0 introduces support for signing and encrypting SOAP message
attachments, via the the SOAP with Attachments (SWA) Profile 1.1 specification.
There is no support in WSS4J 1.6.x for signing or encrypting message
attachments. Attachments can be signed and encrypted in WSS4J via either the
"action"-based approach or via WS-SecurityPolicy, as covered in the sections
The message attachment streams must be supplied to WSS4J for
signature/encryption via a CallbackHandler approach. An
AttachmentRequestCallback Object is used to retrieve either a particular
Attachment (on the receiving side), or all attachments (on the sending side).
The user must implement a CallbackHandler that sets a list of Attachments
matching this request on the Callback. Correspondingly, there is also a
AttachmentResponseCallback, which represents the secured/processed Attachment.
The good news is that if you are using Apache CXF then all of this is taken
care of automatically by a CallbackHandler that retrieves and sets CXF message
attachments. Therefore if you are using CXF then you can sign/encrypt message
attachments just by setting the configuration detailed in the next couple of
<subsection name="Securing message attachments via the action approach">
With the "action" approach to using WSS4J, the user specifies the parts to
sign or encrypt via the following configuration tags:
<li>ConfigurationConstants.SIGNATURE_PARTS ("signatureParts")</li>
<li>ConfigurationConstants.ENCRYPTION_PARTS ("encryptionParts")</li>
The value of these tags is a String in a special format that looks something
like "{Content}{}CreditCard"
({modifier}{namespace}localname). In WSS4J 2.0.0, it is possible to
sign/encrypt all of the attachments by specifying the following as part of
signatureParts/encryptionParts: "{}cid:Attachments;". Note that this signs or
encrypts all of the attachments, it is not possible to only sign/encrypt
individual attachments.
<subsection name="Securing message attachments via WS-SecurityPolicy">
An easier way to use WSS4J is in conjunction with a web services stack such as
Apache CXF and a WS-SecurityPolicy-based policy. It is possible to sign/encrypt
all attachments by adding a "sp:Attachments" policy as a child of either a
"sp:SignedParts" or "sp:EncryptedParts" policy. In addition, the
"sp:Attachments" policy for SignedParts only has two optional child policies
called "sp13:ContentSignatureTransform" and
"sp13:AttachmentCompleteSignatureTransform", which dictate whether the
attachment headers are included or not in the Signature.