Home | SOAP Tools | UDDI Browser | ResourcesSource Code | RFCs | News Reader  | SOAP Interop | Bookmarks 


SOAP Security
This page demonstrates some of the technologies for secure SOAP transactions. It shows that how SOAP transactions/messages can be strongly protected through digital signature and encryption.

Authentication: Users of SOAP services can be authenticated in many different ways including token-based authentication and digest authentication. Token based authentication requires users to supply credentials through a secure channel. SOAP servers respond with an auth token which can be used for all subsequent requests.

Digital Signature: Signature is a way of ensuring integrity of a document. SOAP messages, wholly or in part,  are first digested. The digest is a hash value equivalent to a human fingerprint. The digest, along with other sensitive data,  is then digitally signed using the senders certificate and then encrypted using the receiver's public key. Because the signature is encrypted using the receiver's public key, only the receiver can decrypt it and verify the signature and message digest. Any tampering during the transmission will lead to a signature/hash verification failure. XML Signiture (XML-DSIG) is a W3C recommendation that defines the rules for digital signature processing and the structure of the XML document. 

Data Encryption: Sensitive data can also be encrypted using either session keys or public/private key. Even the message is sent in the clear,  the part that is encrypted will be opaque and difficult to crack. The W3C draft, XML Encryption, defines the process and format of the encrypted XML data.

The form below demonstrates how SQLData SOAP server and client support XML Signature (XML-DSIG), SOAP Security Extensions (SOAP-DSIG) and XML Encryption. Both request and response of the following method are signed and verified by the SOAP client and server. In addition,  the first  parameter (bstrParam1) value is encrypted before sending to server; and the returned value from the server is also encrypted. 

SOAP Method : Method1
Server Address:http://www.soapclient.com/xml/signature.wsdl
bstrParam1:(to be encrypted)

 *Choose either Request or Response to see the corresponding message.

Encryption/Decryption Procedure

  1. The sender generates a session key (either random or derived from a secret).
  2. Data objects are encrypted using the session key.
  3. The key is then encrypted using the receiver's public key and inserted into the message as the key value.
  4. The receiver recovers the encrypted session key using its private key.
  5. Data is then decrypted using the decrypted session key.

Note that the whole process is transparent to both the SOAP client and the server component. The client continues to add data into the call as usual; and the server component, the actual service provider, receives decrypted parameters as inputs. The SOAP security features are added automatically by a security component inside the message serializer/deserializer.

Related Tools:


Copyright 1997-2011 SQLData System, Inc  All rights reserved.

Comments, or suggestions? Send to info2 at sqldata.com

This site is powered by SQLData SOAP Server