SOAP Security
This page demonstrates some of the technologies for secure SOAP transactions. It shows that how SOAP transactions/messages can be strongly protected through digital signature and encryption.
Authen
tication: Users of SOAP services can be authen
ticated in many different ways including token-based authen
tication and digest authen
tication. Token based authen
tication requires users to supply credentials through a secure channel. SOAP servers respond with an auth token which can be used for all subsequent requests.
Digital Signature: Signature is a way of ensuring integrity of ado
cument. SOAP messages, wholly or in part, are first digested. The digest is a hash value equivalent to a human fingerprint. The digest, along with other sensitive data, is then
digitally signed using the senders certificate and then
encrypted using the receiver's public key. Because the signature is encrypted using the receiver's public key, only the receiver can decrypt it and verify the signature and message digest. Any tampering during the transmission will lead to a signature/hash verification failure. XML Signiture (XML-DSIG) is a W3C recommendation that defines the rules for digital signature processing and the structure of the XMLdo
cument.
Data Encryption: Sensitive data can also be encrypted using either session keys or public/private key. Even the message is sent in the clear, the part that is encrypted will be opaque and difficult to crack. The W3C draft, XML Encryption, defines the process and format of the encrypted XML data.
The form below demonstrates how SQLData SOAP server and client support XML Signature (XML-DSIG), SOAP Security Extensions (SOAP-DSIG) and XML Encryption. Both request and response of the following method are signed and verified by the SOAP client and server. In addition, the first parameter (bstrParam1) value is encrypted before sending to server;
and the returned value from the server is also encrypted.
