Signed SOAP Messages
This page presents a brief concept of digitally signing SOAP messages.
Digital signatures, in the form of public-private key pairs, provide means for:
- authentication of the message sender (proving that the sender is whom when claims to be);
- authorization (certifying that the sender has the proper clearances to perform the queries or methods intended);
- verifying integrity of the signed data, by utilizing hashes;
- encryption, if needed.
SOAP Digital Signature Extension - SOAP-DSIG
The Digital Signature Extension (SOAP-DSIG) specifies a XML document structure that denotes the original signed message and the digital signature data. This XML structure contains specifications for the algorithms, public key, message digest, and digital certificate.
Examples of Digitally Signed SOAP Message
The header contains elements such as
ds:DigestValue, where the message digest, generated with
ds:DigestMethod Algorithm, is displayed (in this case, sha1). The
ds:Reference URI shows the content being signed. The element
ds:SignatureValue contains the digital signature, and
wsse:BinarySecurityToken has information about the X.509 certificate, including the public key, encoded in base64Binary.
Below is an example of a SOAP in RCP-style, not signed. The method
testMethod is invoked; the SOAP service is located at
The same document is now signed using a X.509 certificate and public key. We can note the elements
ds:DigestValue, representing the digest of the original message above. The element
ds:SignatureValue brings the digital signature of the digest, and
ds:KeyInfo presents the X.509 certificate and public key. The server must use these data to verify the signature.