Contact Us 1-800-596-4880

Validate Operation Examples

This validate operation validates an incoming SOAP request that contains WSS information. The WSS module validates the request against a WssInboundConfig configuration.

Table 1. Parameters
Name M ES Default Value Type Description

request

Yes

No

n.a.

TypedValue <InputStream>

SOAP request

version

No

No

SOAP_12

SoapVersion

SOAP protocol version

The output is the same SOAP request received. The operation does not return any attributes.

Table 2. Errors
Namespace Type Parent Description

WSS

SECURITY_VALIDATING

n.a.

Thrown when the request is not valid or no WS-Security information is found

WSS

MISSING_CERTIFICATE

n.a.

Thrown when unable to get a certificate from either the truststore or the keystore

Decryption

Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures.

This example shows you how to decrpyt a request using a keystore:

Request Example
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><xenc:EncryptedKey Id="EK-D77EFA434E6694DA5315531006937483" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=OLEKSIYS-W3T,OU=Sun Java System Application Server,O=Sun Microsystems,L=Santa Clara,ST=California,C=US</ds:X509IssuerName><ds:X509SerialNumber>1182300426</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-D77EFA434E6694DA5315531006937494"/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header>
    <soap:Body><xenc:EncryptedData Id="ED-D77EFA434E6694DA5315531006937494" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-D77EFA434E6694DA5315531006937483"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body>
</soap:Envelope>
Multipart Request Example
------=_Part_8049_2119795515.1555963425591
Content-Type: application/soap+xml
Content-ID: main

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><xenc:EncryptedKey Id="EK-D77EFA434E6694DA5315531006937483" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=OLEKSIYS-W3T,OU=Sun Java System Application Server,O=Sun Microsystems,L=Santa Clara,ST=California,C=US</ds:X509IssuerName><ds:X509SerialNumber>1182300426</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-D77EFA434E6694DA5315531006937494"/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header>
    <soap:Body><xenc:EncryptedData Id="ED-D77EFA434E6694DA5315531006937494" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-D77EFA434E6694DA5315531006937483"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body>
</soap:Envelope>
------=_Part_8049_2119795515.1555963425591
Content-Type: application/json
Content-Disposition: related; name="file1"; filename="a.json"
Content-ID: file1

{
  "title": "Java 8 in Action",
  "author": "Mario Fusco",
  "year": 2014
}
------=_Part_8049_2119795515.1555963425591--
Decryption Example
<wss:inbound-config name="decryption-config">
  <wss:decryption-config>
    <wss:keystore-config path="certificates/decrypt-keystore.jks"
                            password="password"
                            alias="alias"
                            keyPassword="key" />
  </wss:decryption-config>
</wss:inbound-config>

<flow name="OrderTshirtServiceFlow">
  <http:listener config-ref="HTTP-listener-config" path="/order" />
  <wss:validate-wss config-ref="decryption-config" version="SOAP_12"/>
  <flow-ref name="OrderTshirtFlowImpl" />
</flow>

UsernameToken Validation

Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures.

The following examples show you how to validate against either an LDAP server or a provided username/password credentials pair.

Use LDAP authentication to validate multiple users. Credentials validation does not support validation of multiple users.

LDAP Authentication

This example shows usernameToken validation against an LDAP server. The username and password from the request are validated in the LDAP server.

Request Example
<soap:Envelope xmlns:ser="http://service.util.soap.mule.org/" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
  <soap:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsse:UsernameToken wsu:Id="UsernameToken-D77EFA434E6694DA53155311225135914">
        <wsse:Username>username</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
      </wsse:UsernameToken>
    </wsse:Security>
  </soap:Header>
  <soap:Body>
    <ser:echo>
      <text>test username</text>
    </ser:echo>
  </soap:Body>
</soap:Envelope>
Validation Example
<wss:inbound-config name="ldap-config">
  <wss:username-config>
    <wss:authenticate-user-config>
      <wss:ldap-config providerUrl="ldap://localhost:${LDAP_PORT}"
             userDn="cn=admin,dc=example,dc=com"
             password="password"
             searchBase="ou=people,dc=example,dc=com"
             searchFilter="(uid={0})"
             searchInSubtree="false"/>
    </wss:authenticate-user-config>
  </wss:username-config>
</wss:inbound-config>

<flow name="OrderTshirtServiceFlow">
  <http:listener config-ref="HTTP-listener-config" path="/order" />
  <wss:validate-wss config-ref="ldap-config" version="SOAP_12"/>
  <flow-ref name="OrderTshirtFlowImpl" />
</flow>

Credentials Authentication

This example shows a usernameToken validation against a configured pair of username and password:

Request Example
<soap:Envelope xmlns:ser="http://service.util.soap.mule.org/" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                       xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:UsernameToken wsu:Id="UsernameToken-D77EFA434E6694DA53155311225135914">
                <wsse:Username>username</wsse:Username>
                <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">username</wsse:Password>
            </wsse:UsernameToken>
        </wsse:Security>
    </soap:Header>
    <soap:Body>
        <ser:echo>
            <text>test username</text>
        </ser:echo>
    </soap:Body>
</soap:Envelope>
Multipart Request Example
------=_Part_8049_2119795515.1555963425591
Content-Type: application/soap+xml
Content-ID: main

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
  <soap:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-D77EFA434E6694DA53155311225135914">
        <wsse:Username>username</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">username</wsse:Password>
      </wsse:UsernameToken>
    </wsse:Security>
  </soap:Header>
  <soap:Body>
    <ser:echo xmlns:ser="http://service.util.soap.mule.org/">
      <text>test username</text>
    </ser:echo>
  </soap:Body>
</soap:Envelope>
------=_Part_8049_2119795515.1555963425591
Content-Type: application/json
Content-Disposition: related; name="file1"; filename="a.json"
Content-ID: file1

{
  "title": "Java 8 in Action",
  "author": "Mario Fusco",
  "year": 2014
}
------=_Part_8049_2119795515.1555963425591--
Validation Example
<wss:inbound-config name="username-config">
  <wss:username-config>
    <wss:authenticate-user-config>
      <wss:credentials-config username="username" password="password"/>
    </wss:authenticate-user-config>
  </wss:username-config>
</wss:inbound-config>

<flow name="OrderTshirtServiceFlow">
  <http:listener config-ref="HTTP-listener-config" path="/orderTshirt" />
  <wss:validate-wss config-ref="username-config" />
  <flow-ref name="OrderTshirtFlowImpl" />
</flow>

Validate Signature

The following examples show you how to validate signatures in your incoming requests against a configured trustore, a binary security token, or a X.509 certificate.

Trustore

Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures.

Example of validation of the request signature against a configured truststore to ensure that only valid messages from trusted senders are received:

Request Example
<soapenv:Envelope xmlns:ser="http://service.soap.service.mule.org/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><ds:Signature Id="SIG-F8FAC4A91BEF76355615530303348205" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ser soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-F8FAC4A91BEF76355615530303348174"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ser" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>yLFLEkH4/MjYbZ4viZxjou9/4os=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>xxxxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxX+xxxxxxxxxxxxxxxxxxxx/xxxxxxxx
xxxxxxx/xxxxxxxxxx
xxxxxxxx+xxx/xxxxxxxxxxx==</ds:SignatureValue><ds:KeyInfo Id="KI-F8FAC4A91BEF76355615530303348132"><wsse:SecurityTokenReference wsu:Id="STR-F8FAC4A91BEF76355615530303348153"><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=US</ds:X509IssuerName><ds:X509SerialNumber>1545521240</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>
   <soapenv:Body wsu:Id="id-F8FAC4A91BEF76355615530303348174" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <ser:echo>
         <text>test</text>
      </ser:echo>
   </soapenv:Body>
</soapenv:Envelope>
Validation Example
<wss:inbound-config name="validate-signature-config">
  <wss:verify-signature-config>
    <wss:truststore-config path="certificates/verify-signature-truststore.jks" password="mulepassword"/>
  </wss:verify-signature-config>
</wss:inbound-config>

<flow name="OrderTshirtServiceFlow">
  <http:listener config-ref="HTTP-listener-config" path="/order" />
  <wss:validate-wss config-ref="validate-signature-config"/>
  <flow-ref name="OrderTshirtFlowImpl" />
</flow>

BinarySecurityToken Signature

Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures.

Example of validation against the truststore of a request signed with a binary security token.

Request Example
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wor="http://snowyhydro.com.au/workorder-service">
   <soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-B1C61A5DA2BB64CA6A15792851906729">xxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx+xxxxxx/xxxxxxxxxxxxxx</wsse:BinarySecurityToken><ds:Signature Id="SIG-B1C61A5DA2BB64CA6A157928519067613" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="soapenv wor" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-B1C61A5DA2BB64CA6A157928519067312"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="wor" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>H/d9uuvKNSGhJPNoJtm1DhWBQmI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>xxxxxxxxx+xxxx/xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==</ds:SignatureValue><ds:KeyInfo Id="KI-B1C61A5DA2BB64CA6A157928519067210"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-B1C61A5DA2BB64CA6A157928519067211" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#X509-B1C61A5DA2BB64CA6A15792851906729" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>
   <soapenv:Body wsu:Id="id-B1C61A5DA2BB64CA6A157928519067312" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wor:Workorder>
         <InitiatingEvent>?</InitiatingEvent>
         <OriginatingDocumentNumber>?</OriginatingDocumentNumber>
         <StandardJob>?</StandardJob>
         <WorkorderDescription>?</WorkorderDescription>
         <Originator>?</Originator>
         <MaintenanceType>?</MaintenanceType>
         <EquipmentReference>?</EquipmentReference>
         <WorkorderType>?</WorkorderType>
         <WorkGroup>?</WorkGroup>
         <AccountCode>?</AccountCode>
      </wor:Workorder>
   </soapenv:Body>
</soapenv:Envelope>
Validation Example
<wss:inbound-config name="validate-signature-config">
  <wss:verify-signature-config>
    <wss:truststore-config path="certificates/sign-keystore.jks" password="mulepassword"/>
  </wss:verify-signature-config>
</wss:inbound-config>

<flow name="OrderTshirtServiceFlow">
  <http:listener config-ref="HTTP-listener-config" path="/order" />
  <wss:validate-wss config-ref="validate-signature-config"/>
  <flow-ref name="OrderTshirtFlowImpl" />
</flow>

X.509 Certificate

Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures.

The following example shows validation of an X.509 certificate issuer by pattern:

Request Example
<soapenv:Envelope xmlns:ser="http://service.soap.service.mule.org/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><ds:Signature Id="SIG-F8FAC4A91BEF76355615530303348205" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ser soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-F8FAC4A91BEF76355615530303348174"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ser" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>yLFLEkH4/MjYbZ4viZxjou9/4os=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>xxxxxxxxxxx==</ds:SignatureValue><ds:KeyInfo Id="KI-F8FAC4A91BEF76355615530303348132"><wsse:SecurityTokenReference wsu:Id="STR-F8FAC4A91BEF76355615530303348153"><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=US</ds:X509IssuerName><ds:X509SerialNumber>1545521240</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>
   <soapenv:Body wsu:Id="id-F8FAC4A91BEF76355615530303348174" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <ser:echo>
         <text>test</text>
      </ser:echo>
   </soapenv:Body>
</soapenv:Envelope>
Validation Example
<wss:inbound-config name="validate-signature-config">
  <wss:verify-signature-config issuerPattern="CN=Unknown.*">
    <wss:truststore-config path="certificates/verify-signature-truststore.jks" password="mulepassword"/>
  </wss:verify-signature-config>
</wss:inbound-config>

<flow name="OrderTshirtServiceFlow">
  <http:listener config-ref="HTTP-listener-config" path="/order" />
  <wss:validate-wss config-ref="validate-signature-config"/>
  <flow-ref name="OrderTshirtFlowImpl" />
</flow>

Validate Timestamp

Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures.

This example shows you how to validate the <wsu:Timestamp> element in your incoming SOAP requests:

Request Example
<soap:Envelope xmlns:ser="http://service.util.soap.mule.org/" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                       xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsu:Timestamp wsu:Id="TS-D77EFA434E6694DA5315531011197435">
                <wsu:Created>2001-09-13T08:42:00Z</wsu:Created>
                <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires>
            </wsu:Timestamp>
        </wsse:Security>
    </soap:Header>
    <soap:Body>
        <ser:echo>
            <text>test timestamp</text>
        </ser:echo>
    </soap:Body>
</soap:Envelope>
Timestamp Validation Example
<wss:inbound-config name="timestamp-config">
  <wss:timestamp-config timeToLive="100" precisionInMilliseconds="true"/>
</wss:inbound-config>

<flow name="OrderTshirtServiceFlow">
  <http:listener config-ref="HTTP-listener-config" path="/order" />
  <wss:validate-wss config-ref="timestamp-config"/>
  <flow-ref name="OrderTshirtFlowImpl" />
</flow>

Validate SAML

The following examples show you how to validate both signed or unsigned SAML assertions in your incoming SOAP requests.

Signed SAML Assertion

Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures.

Example of a signed SAML assertion that requires the Subject Confirmation Method to be Bearer:

Request Example
<soap:Envelope xmlns:ser="http://service.soap.service.mule.org/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Header>
        <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><saml2:Assertion ID="SAML-d328e428-1d0a-422d-b758-1408b0c010c7" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>WssTest</saml2:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI=""><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><dsig:DigestValue>xX+xxxxxxxxxx=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>mT9648OrsRiYV/xxxx/xxxxxxxx/xxxxxx==</dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509SubjectName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=US</dsig:X509SubjectName><dsig:X509Certificate>xxxxxxxxxxxx+xxxxxxxxxxxxxxxxxx=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></dsig:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="Mulesoft">o=test</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject></saml2:Assertion>
        </wsse:Security>
    </soap:Header>
   <soap:Body>
      <ser:echo>
         <text>test</text>
      </ser:echo>
   </soap:Body>
</soap:Envelope>
Signed SAML Assertion Validation Example
<wss:inbound-config name="validate-saml-config">
  <wss:verify-saml-config samlVersion="SAML20"
        requiredSubjectConfirmationMethod="BEARER"/>
</wss:inbound-config>

<flow name="OrderTshirtServiceFlow">
  <http:listener config-ref="HTTP-listener-config" path="/order" />
  <wss:validate-wss version="SOAP_11" config-ref="validate-saml-config"/>
  <flow-ref name="OrderTshirtFlowImpl" />
</flow>

Unsigned SAML Assertion

Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures.

Example of SAML assertion of unsigned SOAP message:

Request Example
<soap:Envelope xmlns:ser="http://service.soap.service.mule.org/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Header>
        <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><saml2:Assertion ID="SAML-d328e428-1d0a-422d-b758-1408b0c010c7" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>WssTest</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="Mulesoft">o=test</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject></saml2:Assertion>
        </wsse:Security>
    </soap:Header>
    <soap:Body>
        <ser:echo>
            <text>test</text>
        </ser:echo>
    </soap:Body>
</soap:Envelope>
Unsigned SAML Assertion Validation Example
<wss:inbound-config name="validate-saml-config">
  <wss:verify-saml-config samlVersion="SAML20" />
</wss:inbound-config>

<flow name="OrderTshirtServiceFlow">
  <http:listener config-ref="HTTP-listener-config" path="/order" />
  <wss:validate-wss version="SOAP_11" config-ref="validate-saml-config"/>
  <flow-ref name="OrderTshirtFlowImpl" />
</flow>
View on GitHub