17.5.2.SOAP Server WS-Security Endpoint

Prev	Up	Next
17.5.1.Client and Server side Certificates & Keys	Home	17.5.3.Virtual Directory SOAP WSS Options

¶

17.5.2.SOAP Server WS-Security Endpoint

The WS-Security processing is performed by filtering incoming and outgoing messages of the Virtuoso SOAP server. These filters are activated when a special SOAP option is set on the current virtual directory that is the SOAP endpoint. The WS-Security filters are invoked on input to verify / decrypt the message. Upon success the message will be processed by the SOAP server, otherwise a SOAP:Fault will be returned to the SOAP requester. On outgoing messages, depending of SOAP options, messages produced by the SOAP server can be encoded and signed as well. The administrator configures the WS Security subsystem at the access point level. Different security schemes involving encryption and/or signature can be selected.

The keys and certificates need to be defined in order to get a working secure service. The key/certificate(s) for the SOAP endpoint that is WS-Security enabled are referenced in a special PL hook and/or signature template. If none of these (signature or key instance hook) are defined the response will not be encrypted or signed.

Here are the steps involved in processing a message to a secure end point.

SOAP server receives a message on a secure endpoint
The message is determined to be for this endpoint, otherwise will be sent to the next SOAP router if routing is enabled.

The message (as is) is passed to the decoding routine. At this point keys that are referenced in SOAP message need to be in the user space of the SQL account on whose behalf SOAP accessible procedures of this end point run. If any key does not exist in the user space, the requested processing will fail.

Note:

Signatures can be verified in the following manners:

never try signatures

expect signatures, explicit

try signature if exists

This behavior depends on the "WSS-Validate-Signature" option set for the virtual directory.

If step 3 completes without problem, security related headers are stripped from the decoded message.
The result of point 4 is passed to the usual SOAP server for processing.
Once a response is generated by the SOAP method (i.e. corresponding PL procedure, exposed as SOAP method) the result will be encoded and/or signed. This is the last step before the result is sent back to the requestor client. At this point the server behavior is controlled by a few options defined in the virtual directory. See below: "WSS-KEY", "WSS-Template", and "WSS-Type" options.

Prev	Up	Next
17.5.1.Client and Server side Certificates & Keys	Home	17.5.3.Virtual Directory SOAP WSS Options

Prefix	Namespace IRI
schema	http://schema.org/
n3	http://docs.openlinksw.com/virtuoso/vwsssoapendpoint/
n5	http://creativecommons.org/licenses/by/4.0/deed.
rdf	http://www.w3.org/1999/02/22-rdf-syntax-ns#
n4	http://www.openlinksw.com/#
xsdh	http://www.w3.org/2001/XMLSchema#

Namespace Prefix	Namespace URI
xmlns:schema	http://schema.org/
xmlns:n3	http://docs.openlinksw.com/virtuoso/vwsssoapendpoint/
xmlns:n5	http://creativecommons.org/licenses/by/4.0/deed.
xmlns:rdf	http://www.w3.org/1999/02/22-rdf-syntax-ns#
xmlns:n4	http://www.openlinksw.com/#
xmlns:xsdh	http://www.w3.org/2001/XMLSchema#

Subject	Predicate	Object
n3:	rdf:type	schema:TechArticle
n3:	rdf:type	schema:APIReference
n3:	schema:name	17.5.2.ÃÂ SOAP Server WS-Security Endpoint
n3:	schema:copyrightHolder	_:vb82586
n3:	schema:datePublished	2016-09-09 16:16:54
n3:	schema:headline	17.5.2.ÃÂ SOAP Server WS-Security Endpoint
n3:	schema:keywords	OpenLink,Virtuoso,database,RDBMS,relational,SQL,RDF,triple store,linked data,linked open data,Big Data
n3:	schema:license	n5:en_US
n3:	schema:publisher	_:vb82585
n3:	schema:url	n3:
_:vb82585	rdf:type	schema:Organization
_:vb82585	schema:name	OpenLink Software
_:vb82585	schema:url	n4:this
_:vb82586	rdf:type	schema:Organization
_:vb82586	schema:name	OpenLink Software
_:vb82586	schema:url	n4:this