WSE 3.0 UsernameToken应用中的例子,一个调用HelloWorld() Web Service示例,应用了WSE 3.0 UsernameToken方式,下面对照不同的配置下SOAP消息的差异。
1. 未使用WSE时的SOAP消息。
<soap:Envelope ... >
<soap:Body>
<HelloWorld xmlns="http://tempuri.org/" />
</soap:Body>
</soap:Envelope>
<soap:Body>
<HelloWorld xmlns="http://tempuri.org/" />
</soap:Body>
</soap:Envelope>
2. 启用WSE,使用UsernameToken,但不启用WS-Security 1.1 Extensions(UsernameOverTransportAssertion)。
SOAP消息如下:
<soap:Envelope ... >
<soap:Header>
<wsa:Action>http://tempuri.org/HelloWorld</wsa:Action>
<wsa:MessageID>urn:uuid:b637fb86-8712-4845-a71c-8f91320168ac</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To>http://.../WSEServer/MyService.asmx</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-72b13f43-5c2e-46ea-81cb-dbc0f99b3605">
<wsu:Created>2007-03-15T04:47:47Z</wsu:Created>
<wsu:Expires>2007-03-15T04:52:47Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="......" wsu:Id="SecurityToken-a2526d47-d01b-476c-a15b-b7f84e55181d">
<wsse:Username>Administrator</wsse:Username>
<wsse:Password Type="......">5W0xOMVVDnlCRwclYMszo9ZEwOs=</wsse:Password>
<wsse:Nonce>ttsA3uaB4KqBa2Vrcd7X8A==</wsse:Nonce>
<wsu:Created>2007-03-15T04:47:47Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<HelloWorld xmlns="http://tempuri.org/" />
</soap:Body>
</soap:Envelope>
<soap:Header>
<wsa:Action>http://tempuri.org/HelloWorld</wsa:Action>
<wsa:MessageID>urn:uuid:b637fb86-8712-4845-a71c-8f91320168ac</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To>http://.../WSEServer/MyService.asmx</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-72b13f43-5c2e-46ea-81cb-dbc0f99b3605">
<wsu:Created>2007-03-15T04:47:47Z</wsu:Created>
<wsu:Expires>2007-03-15T04:52:47Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="......" wsu:Id="SecurityToken-a2526d47-d01b-476c-a15b-b7f84e55181d">
<wsse:Username>Administrator</wsse:Username>
<wsse:Password Type="......">5W0xOMVVDnlCRwclYMszo9ZEwOs=</wsse:Password>
<wsse:Nonce>ttsA3uaB4KqBa2Vrcd7X8A==</wsse:Nonce>
<wsu:Created>2007-03-15T04:47:47Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<HelloWorld xmlns="http://tempuri.org/" />
</soap:Body>
</soap:Envelope>
wsa:的节点是WS-Addressing内容,wsse:Security节点里面就是WSE安全性扩展的内容了,包括了UsernameToken认证信息,密码经过了加密处理。WS-Addressing可参考:WS-Addressing 从理论到实践。
3. 在WS-Security 1.1扩展中选择Sign-Only选项(UsernameForCertificateAssertion)。
完整的SOAP消息内容
主要元素结构如下:
<soap:Envelope ... >
<soap:Header>
<wsa:Action wsu:Id="Id-7b15dc35-0eb2-4df7-890c-79b3e3b70917">http://tempuri.org/HelloWorld</wsa:Action>
<wsa:MessageID wsu:Id="Id-3867fb2e-3f70-4ab8-9c71-1051104fc7e5">urn:uuid:...</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-b7e40812-850d-4de6-b2a1-511a8661c526">...</wsa:ReplyTo>
<wsa:To wsu:Id="Id-6528e50b-b801-487d-bce8-8d016064490e">http://.../WSEServer/MyService.asmx</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-a74f13f4-f22a-4891-9f6c-305453df2170">...</wsu:Timestamp>
<xenc:EncryptedKey Id="SecurityToken-6154d45b-e47f-4ee2-bc30-c70c655ecca0" xmlns:xenc="...">
<soap:Header>
<wsa:Action wsu:Id="Id-7b15dc35-0eb2-4df7-890c-79b3e3b70917">http://tempuri.org/HelloWorld</wsa:Action>
<wsa:MessageID wsu:Id="Id-3867fb2e-3f70-4ab8-9c71-1051104fc7e5">urn:uuid:...</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-b7e40812-850d-4de6-b2a1-511a8661c526">...</wsa:ReplyTo>
<wsa:To wsu:Id="Id-6528e50b-b801-487d-bce8-8d016064490e">http://.../WSEServer/MyService.asmx</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-a74f13f4-f22a-4891-9f6c-305453df2170">...</wsu:Timestamp>
<xenc:EncryptedKey Id="SecurityToken-6154d45b-e47f-4ee2-bc30-c70c655ecca0" xmlns:xenc="...">