ws - security
DESCRIPTION
WS - SecurityTRANSCRIPT
![Page 1: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/1.jpg)
WS - Security
Prabath SiriwardenaDirector, Security Architecture
![Page 2: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/2.jpg)
WS-Security• WS-Security–Authentication– Integrity and non-repudiation–Confidentiality
• Initial effort of MSFT, IBM, Verisign, etc.• Standardized at : Organization for the
Advancement of Structured Information Standards (OASIS)
![Page 3: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/3.jpg)
WS-Security
• Based on XML Encryption and XML Signature• Basic framework for message level security
Encryption Signature Security Tokens
![Page 4: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/4.jpg)
Security Tokens
• Security Tokens are pieces of information used for authentication and authorization.
- UserNameToken [User name/password] - BinaryToken [ X.509 Tokens / Kerberos Tokens] - XML Token [SAML Tokens]
![Page 5: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/5.jpg)
WS-Security
• Provisions for “profiles” to support different crypto technologies
SAML Tokens X. 509 Tokens UsernameToken
![Page 6: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/6.jpg)
Message Level Security
• Authentication – UsernameToken– Use plain text password with a secure transport
• Integrity and Non-repudiation– A detached XML-Signature used and one or more
parts are signed• Confidentiality– Encrypt the SOAP Body or any other part of the
message
![Page 7: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/7.jpg)
WS-Security
• For XML Encryption, the security header may hold an <EncryptedKey> element with a <ReferenceList> element pointing to the specific parts of the message that have been encrypted.
• XML Signature, inside the security header , with its <Reference> elements points to the parts of the message that are being digitally signed.
![Page 8: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/8.jpg)
WS-Security <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="...">
<S11:Header> <wsse:Security xmlns:wsse="...">
<wsse:BinarySecurityToken ValueType=”’’ EncodingType="...#Base64Binary” wsu:Id=" MyID "> </wsse:BinarySecurityToken> <ds:Signature> </ds:Signature>
<xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/>
</xenc:ReferenceList> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody">
<xenc:EncryptedData Id="bodyID"> </xenc:EncryptedData> </S11:Body> </S11:Envelope>
![Page 9: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/9.jpg)
<BinarySecurityToken />
• Can hold binary tokens – e.g. X509 tokens, Kerberos tokens.
• Because these are binary tokens – should specify the EncodingType to represent them in XML.
• ValueType indicates what the security token is.
<wsse:BinarySecurityToken ValueType=”’’ EncodingType="...#Base64Binary” wsu:Id=" MyID "> </wsse:BinarySecurityToken>
![Page 10: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/10.jpg)
WS-Security – Encryption Example - 1
<S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header>
</S11:Header> <S11:Body wsu:Id="MsgBody">
<tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> 1548 QQQ
</tru:StockSymbol> </S11:Body> </S11:Envelope>
![Page 11: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/11.jpg)
WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody">
<xenc:EncryptedData Id="bodyID"> <ds:KeyInfo>
<ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData>
</xenc:EncryptedData> </S11:Body> </S11:Envelope>
![Page 12: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/12.jpg)
WS-Security – Encryption Example - 1 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security>
<xenc:ReferenceList> <xenc:DataReference URI="#bodyID"/>
</xenc:ReferenceList> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody">
<xenc:EncryptedData Id="bodyID"> <ds:KeyInfo>
<ds:KeyName>CN=Hiroshi Maruyama, C=JP</ds:KeyName> </ds:KeyInfo> <xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData>
</xenc:EncryptedData> </S11:Body> </S11:Envelope>
![Page 13: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/13.jpg)
QUESTION 1
Discuss the applicability of following child elements under<KeyInfo> with respect to the Example -1.
<KeyName /> <KeyValue /><RetrievalMethod /><X509Data />
![Page 14: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/14.jpg)
WS-Security – Encryption Example - 2
<S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header>
</S11:Header> <S11:Body wsu:Id="MsgBody">
<tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> 1548 QQQ
</tru:StockSymbol> </S11:Body> </S11:Envelope>
![Page 15: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/15.jpg)
WS-Security – Encryption Example - 2
<S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> </S11:Header> <S11:Body wsu:Id="MsgBody">
<xenc:EncryptedData Id="bodyID"> <xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData>
</xenc:EncryptedData> </S11:Body> </S11:Envelope>
![Page 16: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/16.jpg)
WS-Security – Encryption Example - 2 <S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...” xmlns:ds="..."> <S11:Header> <wsse:Security>
<xenc:EncryptedKey> <ds:KeyInfo>
<wsse:SecurityTokenReference> <ds:X509IssuerSerial>
<ds:X509IssuerName> </ds:X509IssuerName> <ds:X509SerialNumber></ds:X509SerialNumber>
</ds:X509IssuerSerial> </wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:ReferenceList>
<xenc:DataReference URI="#bodyID"/> </xenc:ReferenceList>
</xenc:EncryptedKey> </wsse:Security> </S11:Header> <S11:Body wsu:Id="MsgBody">
<xenc:EncryptedData Id="bodyID"> <xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData>
</xenc:EncryptedData> </S11:Body> </S11:Envelope>
![Page 17: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/17.jpg)
Token References
• Defines mechanisms for referencing security tokens.• Introduces the <SecurityTokenReferenece> as a
standard way to refer to a security token regardless of their format.
Direct References Key Identifiers Key Names Embedded References
![Page 18: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/18.jpg)
Direct References
• This allows references to include tokens using URI fragments and external tokens using full URIs
![Page 19: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/19.jpg)
Direct Reference Example<S11:Envelope > <S11:Header> <wsse:Security>
<wsse:BinarySecurityToken ValueType="...#X509v3” EncodingType="...#Base64Binary” wsu:Id="X509Token"> MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i...
</wsse:BinarySecurityToken> <ds:Signature>
<ds:SignedInfo> <ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#myBody">
<ds:Transforms> <ds:Transform Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>EULddytSo1...</ds:DigestValue>
</ds:Reference> </ds:SignedInfo> <ds:SignatureValue> BL8jdfToEb1l/vXcMZNNjPOV... </ds:SignatureValue> <ds:KeyInfo>
<wsse:SecurityTokenReference> <wsse:Reference URI="#X509Token"/>
</wsse:SecurityTokenReference> </ds:KeyInfo>
</ds:Signature> </wsse:Security> </S11:Header> <S11:Body wsu:Id="myBody">
<tru:StockSymbol xmlns:tru="http://www.fabrikam123.com/payloads"> QQQ </tru:StockSymbol>
</S11:Body> </S11:Envelope>
![Page 20: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/20.jpg)
Key Identifiers
• This allows tokens to be referenced using an opaque value that represents the token.
• A KeyIdentifier is a value that can be used to uniquely identify a security token (e.g. a hash of the important elements of the security token).
![Page 21: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/21.jpg)
Key Identifiers<wsse:SecurityTokenReference> <wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" > MIGfMa0GCSq </wsse:KeyIdentifier></wsse:SecurityTokenReference>
![Page 22: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/22.jpg)
Key Identifiers
• Having an explicit ValueType removes ambiguity about the format of the KeyIdentifier. The Basic Security Profile restricts the value to that specified in the security token profile that is associated with the security token. The ValueType attribute in a KeyIdentifier is optional. This can cause ambiguity when it is not explicitly stated. Furthermore, interoperability is discouraged if a ValueType is specified but does not correspond to the value associated with that token as stated in its security token profile.
![Page 23: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/23.jpg)
Key Names
• This allows tokens to be referenced using a string that matches an identity assertion within the security token.
• In any case where a security token would be referred to by Key Name, it would also be possible to refer to it by a more efficient and/or less ambiguous mechanism (e.g. Direct, Key Identifier and/or Issuer and Serial Number).
![Page 24: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/24.jpg)
Key Names Example
<!-- This example is incorrect because it uses a ds:KeyName element to refer to an X.509 certificate --><wsse:SecurityTokenReference> <ds:KeyName>CN=Security WG, OU=BSP, O=WS-I, C=US</ds:KeyName></wsse:SecurityTokenReference>
KeyName references are prohibited by the WS-Security Basic Profile.
![Page 25: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/25.jpg)
Embedded
• This allows tokens to be embedded (as opposed to a pointer to a token that resides elsewhere).
• Basic Security Profile 1.0 restricts embedded security tokens to contain exactly one security token element.
![Page 26: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/26.jpg)
Embedded Token Example
<wsse:SecurityTokenReference> <wsse:Embedded wsu:Id=“"> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Embedded></wsse:SecurityTokenReference>
![Page 27: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/27.jpg)
Reading SOAP is fun <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"> MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference></wsse:Security>
1
![Page 28: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/28.jpg)
Reading SOAP is fun <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"> MIGfMa0GCSq </wsse:KeyIdentifier> </wsse:SecurityTokenReference></wsse:Security>
<!-- This example is incorrect because it refers to a wsse:BinarySecurityToken element which specifies a wsu:id
attribute using a wsse:KeyIdentifier element rather than a wsse:Reference or wsse:Embedded element -->
1
![Page 29: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/29.jpg)
Reading SOAP is fun
<wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference></wsse:Security>
2
![Page 30: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/30.jpg)
Reading SOAP is fun
<wsse:Security > <wsse:SecurityTokenReference> <wsse:Embedded wsu:Id="TheEmbeddedElementAroundSomeCert"> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken> </wsse:Embedded> </wsse:SecurityTokenReference></wsse:Security>
3
![Page 31: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/31.jpg)
Reading SOAP is fun <wsse:Security > <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken></wsse:Security>
4
![Page 32: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/32.jpg)
Reading SOAP is fun <wsse:Security > <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> XZEEVABD3L9G+VNTCDiDTE7WB1a4kILtz5f9FT747eE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/... </wsse:BinarySecurityToken></wsse:Security>
<!-- This example is incorrect because the wsse:BinarySecurityToken with the wsu:Id of SomeCert appears after it is
referenced from within the xenc:EncryptedKey element -->
4
![Page 33: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/33.jpg)
Reading SOAP is fun 5
<wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:xenc='http://www.w3.org/2001/04/xmlenc#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <wsse:SecurityTokenReference> <wsse:Reference URI='http://www.ws-i.org/CertStore/Examples/BSP.PEM' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference></wsse:Security>
![Page 34: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/34.jpg)
Reading SOAP is fun 6
<wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/...</wsse:BinarySecurityToken><wsse:SecurityTokenReference wsu:Id="TheFirstSTR"> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /></wsse:SecurityTokenReference><wsse:SecurityTokenReference> <wsse:Reference URI='#TheFirstSTR' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /></wsse:SecurityTokenReference>
![Page 35: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/35.jpg)
Reading SOAP is fun 6
<wsse:BinarySecurityToken wsu:Id='SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">lui+Jy4WYKGJW5xM3aHnLxOpGVIpzSg4V486hHFe7sHET/uxxVBovT7JV1A2RnWSWkXm9jAEdsm/...</wsse:BinarySecurityToken><wsse:SecurityTokenReference wsu:Id="TheFirstSTR"> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /></wsse:SecurityTokenReference><wsse:SecurityTokenReference> <wsse:Reference URI='#TheFirstSTR' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /></wsse:SecurityTokenReference>
<!-- This example is incorrect because the second wsse:SecurityTokenReference element refers to the
wsse:SecurityTokenReference with an wsu:Id of TheFirstSTR -->
![Page 36: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/36.jpg)
Reading SOAP is fun
<wsse:Security > <wsu:Timestamp wsu:Id="timestamp1"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> <wsu:Timestamp wsu:Id="timestamp2"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp></wsse:Security>
7
![Page 37: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/37.jpg)
Reading SOAP is fun
<wsse:Security > <wsu:Timestamp wsu:Id="timestamp1"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp> <wsu:Timestamp wsu:Id="timestamp2"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires> </wsu:Timestamp></wsse:Security>
7
<!-- This example is incorrect because Security header MUST NOT contain more than one TIMESTAMP-->
![Page 38: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/38.jpg)
Reading SOAP is fun
<soap: Header><wsse:Security ></wsse:Security><wsse:Security ></wsse:Security>
</soap: Header>
8
![Page 39: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/39.jpg)
Reading SOAP is fun
<soap: Header><wsse:Security ></wsse:Security><wsse:Security ></wsse:Security>
</soap: Header>
8
<!– This is incorrect. SOAP Header MUST not have more than one Security header where the actor/role attribute omitted-->
![Page 40: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/40.jpg)
Reading SOAP is fun
<soap: Header><wsse:Security actor=“foo” ></wsse:Security><wsse:Security actor=“foo” ></wsse:Security>
</soap: Header>
9
![Page 41: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/41.jpg)
Reading SOAP is fun
<soap: Header><wsse:Security actor=“foo” ></wsse:Security><wsse:Security actor=“foo” ></wsse:Security>
</soap: Header>
9
<!– This is incorrect. SOAP Header MUST not have more than one Security header with the same actor/role attribute omitted-->
![Page 42: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/42.jpg)
Reading SOAP is fun <ds:Signature Id='TheSig' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:Reference URI='#SigPropBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>i3qi5GjhHnfoBn/jOjQp2mq0Na4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>oxNwoqGbzqg1YBliz+PProgcjw8=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:SignatureProperties> <ds:SignatureProperty Id='SigPropBody' Target='#TheSig'> <SomeSecurityToken/> </ds:SignatureProperty> </ds:SignatureProperties> </ds:Object></ds:Signature>
10
![Page 43: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/43.jpg)
Reading SOAP is fun <ds:Signature Id='TheSig' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:Reference URI='#SigPropBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>i3qi5GjhHnfoBn/jOjQp2mq0Na4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>oxNwoqGbzqg1YBliz+PProgcjw8=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:SignatureProperties> <ds:SignatureProperty Id='SigPropBody' Target='#TheSig'> <SomeSecurityToken/> </ds:SignatureProperty> </ds:SignatureProperties> </ds:Object></ds:Signature>
10
<!– This is incorrect. Must used Detached Signature. Enveloping or Enveloped Signatures are not allowed.-->
![Page 44: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/44.jpg)
Reading SOAP is fun <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'> <ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
11
![Page 45: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/45.jpg)
Reading SOAP is fun <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/TR/1999/REC-xpath-19991116'> <ds:XPath>/soap:Envelope/soap:Body/*</ds:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /></ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
11
A signature reference to an element that does not have an ID attribute MUST contain a TRANSFORM with an Algorithm attribute value of "http://www.w3.org/2002/06/xmldsig-filter2"
![Page 46: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/46.jpg)
Reading SOAP is fun <wsse:Security ><ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI=''> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2002/06/xmldsig-filter2' xmlns:dsxp='http://www.w3.org/2002/06/xmldsig-filter2'> <dsxp:XPath Filter='intersect'>/soap:Envelope/soap:Body/*</dsxp:XPath> </ds:Transform> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'> <xc14n:InclusiveNamespaces xmlns:xc14n='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>VEPKwzfPGOxh2OUpoK0bcl58jtU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>+diIuEyDpV7qxVoUOkb5rj61+Zs=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert” ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security>
12
![Page 47: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/47.jpg)
Reading SOAP is fun
<ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#' > <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert' ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> </wsse:SecurityTokenReference></ds:KeyInfo>
13
Any Signature/Encryption KeyInfo MUST contain a SecurityTokenReference child element and that is the only
child element.
![Page 48: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/48.jpg)
Reading SOAP is fun <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#TheManifest’></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>L7X0Zw23/zYQnX4+Z+p0gCygKQ0=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:Manifest Id='TheManifest'> <ds:Reference URI='#TheBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>+VTJraRYFT3pl7Z4uAWhmr5+bf4=</ds:DigestValue> </ds:Reference> </ds:Manifest> </ds:Object></ds:Signature>
14
![Page 49: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/49.jpg)
Reading SOAP is fun <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <ds:Reference URI='#TheManifest’></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>L7X0Zw23/zYQnX4+Z+p0gCygKQ0=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <ds:Object> <ds:Manifest Id='TheManifest'> <ds:Reference URI='#TheBody'> <ds:Transforms> <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> </ds:Transforms> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' /> <ds:DigestValue>+VTJraRYFT3pl7Z4uAWhmr5+bf4=</ds:DigestValue> </ds:Reference> </ds:Manifest> </ds:Object></ds:Signature>
14
A Signature MUST NOT contain a ds:Manifest descendant element.
![Page 50: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/50.jpg)
Reading SOAP is fun <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“"></wsse:BinarySecurityToken> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> </xenc:EncryptedKey></wsse:Security>
15
![Page 51: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/51.jpg)
Reading SOAP is fun <wsse:Security > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“"></wsse:BinarySecurityToken> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference></wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> </xenc:EncryptedKey></wsse:Security>
15
This is incorrect. Any EncryptedKey MUST precede any EncryptedData in the same Security header referenced by the associated ReferenceList.
![Page 52: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/52.jpg)
Reading SOAP is fun <wsse:Security ' > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert’ ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData></wsse:Security>
16
![Page 53: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/53.jpg)
Reading SOAP is fun <wsse:Security ' > <wsse:BinarySecurityToken wsu:Id='SomeCert’ ValueType=“”></wsse:BinarySecurityToken> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI='#SomeCert’ ValueType=“" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <xenc:ReferenceList> <xenc:DataReference URI='#Enc1' /> </xenc:ReferenceList> <xenc:EncryptedData Id='Enc1'> <xenc:EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' /> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData></wsse:Security>
16
<!-- This example is incorrect because the xenc:EncryptedKey element is missing an xenc:ReferenceList child element -->
![Page 54: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/54.jpg)
<wsse11:SignatureConfirmation />
Ensure that a received SOAP message was generated in response to the original request sent by the web client. The client request is typically signed but does not have to be. In
this mechanism, the web service adds a <SignatureConfirmation> element to the security header
element, and the web client can check that <SignatureConfirmation> element
<wsse11:SignatureConfirmation wsu:Id="..." Value="..." />
![Page 55: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/55.jpg)
<wsse11:EncryptedHeader />
WSS 1.1 introduced a new <EncryptedHeader /> mechanism to encrypt headers. When it is required that an entire SOAP
header block including the top-level element and its attributes be encrypted, the original header block is replaced
with an <EncryptedHeader /> . Where an <EncryptedHeader /> element exists, it contains a child
<EncryptedData /> element that is the result of encrypting the header block.
![Page 56: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/56.jpg)
STR-Transform<wsse:SecurityTokenReference wsu:Id="Str1"> </wsse:SecurityTokenReference> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:Reference URI="#Str1">
<ds:Transforms> <ds:Transform Algorithm="...#STR-Transform"> <wsse:TransformationParameters>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
</wsse:TransformationParameters> </ds:Transform> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>...</ds:DigestValue>
</ds:Reference> </ds:SignedInfo> <ds:SignatureValue></ds:SignatureValue> </ds:Signature>
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
![Page 57: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/57.jpg)
STR-Transform
This transform is specified by the URI #STR-Transform and when applied to a <wsse:SecurityTokenReference> element
it means that the output is the token referenced by the <wsse:SecurityTokenReference> element not the element
itself.
![Page 58: WS - Security](https://reader035.vdocuments.us/reader035/viewer/2022062319/55756f9ed8b42a2e248b502e/html5/thumbnails/58.jpg)
lean . enterprise . middleware