Chapter 5. DRA4SOA
5.4 Implementation of DRA4SOA messages in Web services
In this section we discuss how to implement our security framework in Web services.
As mentioned in Section 5.2, a DRA4SOA message that contains calling records of invocations and responses should be transmitted between callers and callees. SOAP (Simple Object Access Protocol) is a protocol specification for exchanging structured information in the implementation of Web services [120]. An SOAP message is an ordinary XML document containing the following elements: (1) the envelope element defines the start and end of the message, (2) the header element contains any optional attributes of the message used in processing the message (e.g., WS-Security defines how to embed some elements in an SOAP header to carry security-related data), and (3) the body element contains the actual SOAP message, which usually includes information about the requested service names and required parameters.
The optional header element offers a flexible framework for specifying additional application-level requirements. It is intended to add new features and functionality, and so we embed the DRA4SOA message in the header element as shown in Figure 52.
SOAP body:
WS-Security WS-Policy SOAP header:
Data of SOAP body M(REQ1) M(REQ2) M(RES2) M(RES1)
…
…
DRA4SOA message:
SOAP envelope:
Figure 52.A SOAP message embedded in a DRA4SOA message
SOAP
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
HeaderOfWebService[i]
DRA4SOA Message </soapenv:Header>
<soapenv:Body>
BodyOfWebService[i]
</soapenv:Body>
</soapenv:Envelope>
DRASOA Message
<dra4soa xmlns="http://iclab.csie.ntnu.edu.tw/dra4soa/">
CallingRecord+
</dra4soa>
CallingRecord
<callingRecord id="CRID" type="(Invocation|Response)">
<caller>String</caller>
<callee>String</callee>
Content Signature
</callingRecord>
Content
<content id="ContentID">
<soapenv:Header>
HeaderOfWebService[*]
</soapenv:Header>
[<soapenv:Body>
BodyOfWebService[*]
</soapenv:Body>]
</content>
Signature
<signature id="SIG:CRID">
W3CStandardSignature
</signature >
HeaderOfWebServiceString ; BodyOfWebServiceString ; CRIDString
Figure 53. Syntax of the DRA4SOA message
Figure 53 shows the syntax of a SOAP message that contains a DRA4SOA message.
We specify syntax definitions in the Backus-Naur Form10 in this dissertation.
HeaderOfWebService[i] and BodyOfWebService[i] represent the data elements in the original header and body of the SOAP message. To support the DRA4SOA framework we add an element, DRA4SOA Message, that represents a DRA4SOA message in an SOAP header. A DRA4SOA message contains all of the calling records in the formed calling chain. A calling record is represented by CallingRecord. As mentioned in Section 5.2, the general form of a calling record is {{WS(Rj)}ee,
10 Conventionally, a nonterminal symbol in Backus-Naur form is delimited by < and >. To prevent confusion with XML elements, nonterminal symbols are underscored in this dissertation.
[{WS(Rj)}ee, a set of signatures]Pri(R) }11. Actually, {WS(Rj)}ee is represented by
<caller>String</caller>, <callee>String </callee>, and Content and [{WS(Rj)}ee, a set of signatures]Pri(R), is represented by Signature. Note that the type attribute in the
<callingRecord> element specifies that it is either an invocation or a response message.
The <content> element records the header and body element in the original SOAP message. Figure 19 presents an example of this.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
HeaderOfWebService[i]
<dra4soa xmlns="http://iclab.csie.ntnu.edu.tw/dra4soa/">
<callingRecord id="CR_i-1" type="Invocation">
</content>
Figure 54. An example of a SOAP message with the DRA4SOA message
As we have mentioned, the Signature element should represent [{WS(Rj)}ee, a set of signatures]Pri(R). We employ the W3C XML signature standard [113] in which the signed data are specified by some <Reference> elements if multiple parts of data are signed.
The URI attribute of a <Reference> element specifies the element ID of the parts.
Referring to Figure 55, there are three <Reference> elements: the first (with attribute URI="#C:CR3") actually links to a <content> element, while the other two (with attributes URI="#SIGVAL:CR1" and URI="#SIGVAL:CR2") refer to signatures in other calling records.
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="SIG:CR3">
<SignedInfo>
<CanonicalizationMethod
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>WW1tTQ57BuwVL7uxpfBPXLvWJUA=</DigestValue>
</Reference>
<Reference URI="#SIGVAL:CR1">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>4lLHYxi2rZRiDB+IRR4TcCp87kk=</DigestValue>
</Reference>
<Reference URI="#SIGVAL:CR2">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>HlfGGofRfvvQu2JQnrLA4fBxuLI=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue
Id="SIGVAL:CR3">wNWgyiX0gdYVGUuAvJrWvUIdZf4l+SXZNhoVFSFLo3GtD2DiaIjMhc+LUbpM4yoWmTSXNIR/1Ibq V7xvcMG0Ux5RVQKNvrV8uEvVeQNETYiN6sf36I4o8mXfQANannPSPOXqM8GCwjaqKciqax7iHsdL
uRd5PiyijZRmuD5psAs=
</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>whrjPIgsZeE4sv2DhBqtoWaXcSP4cuZUg1/AZ135kE+JHC5mswps111uwHKmajRK3I5AW2A2phP5 EU/yZjER241Ic90S72Pfx54AiRyDRJFLMgPZnHyo7DH9SX2NX0hGuwqO2Kr4AgXFsaq+S/3JW9Q4 rP/hmqMDhHHqdV/u0e8=
</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
Figure 55. An example of a <Signature> element