Validate Operation Examples
This validate operation validates an incoming SOAP request that contains WSS information. The WSS module validates the request against a WssInboundConfig configuration.
| Name | M | ES | Default Value | Type | Description |
|---|---|---|---|---|---|
|
Yes |
No |
n.a. |
|
SOAP request |
|
No |
No |
|
|
SOAP protocol version |
The output is the same SOAP request received. The operation does not return any attributes.
| Namespace | Type | Parent | Description |
|---|---|---|---|
WSS |
SECURITY_VALIDATING |
n.a. |
Thrown when the request is not valid or no WS-Security information is found |
WSS |
MISSING_CERTIFICATE |
n.a. |
Thrown when unable to get a certificate from either the truststore or the keystore |
Decryption
|
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
This example shows you how to decrpyt a request using a keystore:
Request Example
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd"><xenc:EncryptedKey Id="EK-D77EFA434E6694DA5315531006937483" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=OLEKSIYS-W3T,OU=Sun Java System Application Server,O=Sun Microsystems,L=Santa Clara,ST=California,C=US</ds:X509IssuerName><ds:X509SerialNumber>1182300426</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-D77EFA434E6694DA5315531006937494"/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header>
<soap:Body><xenc:EncryptedData Id="ED-D77EFA434E6694DA5315531006937494" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-D77EFA434E6694DA5315531006937483"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body>
</soap:Envelope>Multipart Request Example
------=_Part_8049_2119795515.1555963425591
Content-Type: application/soap+xml
Content-ID: main
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd"><xenc:EncryptedKey Id="EK-D77EFA434E6694DA5315531006937483" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=OLEKSIYS-W3T,OU=Sun Java System Application Server,O=Sun Microsystems,L=Santa Clara,ST=California,C=US</ds:X509IssuerName><ds:X509SerialNumber>1182300426</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-D77EFA434E6694DA5315531006937494"/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header>
<soap:Body><xenc:EncryptedData Id="ED-D77EFA434E6694DA5315531006937494" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-D77EFA434E6694DA5315531006937483"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body>
</soap:Envelope>
------=_Part_8049_2119795515.1555963425591
Content-Type: application/json
Content-Disposition: related; name="file1"; filename="a.json"
Content-ID: file1
{
"title": "Java 8 in Action",
"author": "Mario Fusco",
"year": 2014
}
------=_Part_8049_2119795515.1555963425591--Decryption Example
<wss:inbound-config name="decryption-config">
<wss:decryption-config>
<wss:keystore-config path="certificates/decrypt-keystore.jks"
password="password"
alias="alias"
keyPassword="key" />
</wss:decryption-config>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss config-ref="decryption-config" version="SOAP_12"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>UsernameToken Validation
|
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
The following examples show you how to validate against either an LDAP server or a provided username/password credentials pair.
Use LDAP authentication to validate multiple users. Credentials validation does not support validation of multiple users.
LDAP Authentication
This example shows usernameToken validation against an LDAP server. The username and password from the request are validated in the LDAP server.
Request Example
<soap:Envelope xmlns:ser="http://service.util.soap.mule.org/" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-D77EFA434E6694DA53155311225135914">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<ser:echo>
<text>test username</text>
</ser:echo>
</soap:Body>
</soap:Envelope>Validation Example
<wss:inbound-config name="ldap-config">
<wss:username-config>
<wss:authenticate-user-config>
<wss:ldap-config providerUrl="ldap://localhost:${LDAP_PORT}"
userDn="cn=admin,dc=example,dc=com"
password="password"
searchBase="ou=people,dc=example,dc=com"
searchFilter="(uid={0})"
searchInSubtree="false"/>
</wss:authenticate-user-config>
</wss:username-config>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss config-ref="ldap-config" version="SOAP_12"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>Credentials Authentication
This example shows a usernameToken validation against a configured pair of username and password:
Request Example
<soap:Envelope xmlns:ser="http://service.util.soap.mule.org/" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-D77EFA434E6694DA53155311225135914">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">username</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<ser:echo>
<text>test username</text>
</ser:echo>
</soap:Body>
</soap:Envelope>Multipart Request Example
------=_Part_8049_2119795515.1555963425591
Content-Type: application/soap+xml
Content-ID: main
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd" wsu:Id="UsernameToken-D77EFA434E6694DA53155311225135914">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">username</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<ser:echo xmlns:ser="http://service.util.soap.mule.org/">
<text>test username</text>
</ser:echo>
</soap:Body>
</soap:Envelope>
------=_Part_8049_2119795515.1555963425591
Content-Type: application/json
Content-Disposition: related; name="file1"; filename="a.json"
Content-ID: file1
{
"title": "Java 8 in Action",
"author": "Mario Fusco",
"year": 2014
}
------=_Part_8049_2119795515.1555963425591--Validation Example
<wss:inbound-config name="username-config">
<wss:username-config>
<wss:authenticate-user-config>
<wss:credentials-config username="username" password="password"/>
</wss:authenticate-user-config>
</wss:username-config>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/orderTshirt" />
<wss:validate-wss config-ref="username-config" />
<flow-ref name="OrderTshirtFlowImpl" />
</flow>Validate Signature
The following examples show you how to validate signatures in your incoming requests against a configured trustore, a binary security token, or a X.509 certificate.
Trustore
|
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
Example of validation of the request signature against a configured truststore to ensure that only valid messages from trusted senders are received:
Request Example
<soapenv:Envelope xmlns:ser="http://service.soap.service.mule.org/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd"><ds:Signature Id="SIG-F8FAC4A91BEF76355615530303348205" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ser soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-F8FAC4A91BEF76355615530303348174"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ser" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>yLFLEkH4/MjYbZ4viZxjou9/4os=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>xxxxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxX+xxxxxxxxxxxxxxxxxxxx/xxxxxxxx
xxxxxxx/xxxxxxxxxx
xxxxxxxx+xxx/xxxxxxxxxxx==</ds:SignatureValue><ds:KeyInfo Id="KI-F8FAC4A91BEF76355615530303348132"><wsse:SecurityTokenReference wsu:Id="STR-F8FAC4A91BEF76355615530303348153"><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=US</ds:X509IssuerName><ds:X509SerialNumber>1545521240</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-F8FAC4A91BEF76355615530303348174" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd">
<ser:echo>
<text>test</text>
</ser:echo>
</soapenv:Body>
</soapenv:Envelope>Validation Example
<wss:inbound-config name="validate-signature-config">
<wss:verify-signature-config>
<wss:truststore-config path="certificates/verify-signature-truststore.jks" password="mulepassword"/>
</wss:verify-signature-config>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss config-ref="validate-signature-config"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>BinarySecurityToken Signature
|
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
Example of validation against the truststore of a request signed with a binary security token.
Request Example
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wor="http://snowyhydro.com.au/workorder-service">
<soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.1#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.1#X509PKIPathv1" wsu:Id="X509-B1C61A5DA2BB64CA6A15792851906729">xxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx+xxxxxx/xxxxxxxxxxxxxx</wsse:BinarySecurityToken><ds:Signature Id="SIG-B1C61A5DA2BB64CA6A157928519067613" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="soapenv wor" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-B1C61A5DA2BB64CA6A157928519067312"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="wor" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>H/d9uuvKNSGhJPNoJtm1DhWBQmI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>xxxxxxxxx+xxxx/xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==</ds:SignatureValue><ds:KeyInfo Id="KI-B1C61A5DA2BB64CA6A157928519067210"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.1#X509PKIPathv1" wsu:Id="STR-B1C61A5DA2BB64CA6A157928519067211" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#X509-B1C61A5DA2BB64CA6A15792851906729" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.1#X509PKIPathv1"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-B1C61A5DA2BB64CA6A157928519067312" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd">
<wor:Workorder>
<InitiatingEvent>?</InitiatingEvent>
<OriginatingDocumentNumber>?</OriginatingDocumentNumber>
<StandardJob>?</StandardJob>
<WorkorderDescription>?</WorkorderDescription>
<Originator>?</Originator>
<MaintenanceType>?</MaintenanceType>
<EquipmentReference>?</EquipmentReference>
<WorkorderType>?</WorkorderType>
<WorkGroup>?</WorkGroup>
<AccountCode>?</AccountCode>
</wor:Workorder>
</soapenv:Body>
</soapenv:Envelope>Validation Example
<wss:inbound-config name="validate-signature-config">
<wss:verify-signature-config>
<wss:truststore-config path="certificates/sign-keystore.jks" password="mulepassword"/>
</wss:verify-signature-config>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss config-ref="validate-signature-config"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>X.509 Certificate
|
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
The following example shows validation of an X.509 certificate issuer by pattern:
Request Example
<soapenv:Envelope xmlns:ser="http://service.soap.service.mule.org/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd"><ds:Signature Id="SIG-F8FAC4A91BEF76355615530303348205" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ser soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-F8FAC4A91BEF76355615530303348174"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ser" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>yLFLEkH4/MjYbZ4viZxjou9/4os=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>xxxxxxxxxxx==</ds:SignatureValue><ds:KeyInfo Id="KI-F8FAC4A91BEF76355615530303348132"><wsse:SecurityTokenReference wsu:Id="STR-F8FAC4A91BEF76355615530303348153"><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=US</ds:X509IssuerName><ds:X509SerialNumber>1545521240</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-F8FAC4A91BEF76355615530303348174" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd">
<ser:echo>
<text>test</text>
</ser:echo>
</soapenv:Body>
</soapenv:Envelope>Validation Example
<wss:inbound-config name="validate-signature-config">
<wss:verify-signature-config issuerPattern="CN=Unknown.*">
<wss:truststore-config path="certificates/verify-signature-truststore.jks" password="mulepassword"/>
</wss:verify-signature-config>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss config-ref="validate-signature-config"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>Validate Timestamp
|
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
This example shows you how to validate the <wsu:Timestamp> element in your incoming SOAP requests:
Request Example
<soap:Envelope xmlns:ser="http://service.util.soap.mule.org/" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd">
<wsu:Timestamp wsu:Id="TS-D77EFA434E6694DA5315531011197435">
<wsu:Created>2001-09-13T08:42:00Z</wsu:Created>
<wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<ser:echo>
<text>test timestamp</text>
</ser:echo>
</soap:Body>
</soap:Envelope>Timestamp Validation Example
<wss:inbound-config name="timestamp-config">
<wss:timestamp-config timeToLive="100" precisionInMilliseconds="true"/>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss config-ref="timestamp-config"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>Validate SAML
The following examples show you how to validate both signed or unsigned SAML assertions in your incoming SOAP requests.
Signed SAML Assertion
|
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
Example of a signed SAML assertion that requires the Subject Confirmation Method to be Bearer:
Request Example
<soap:Envelope xmlns:ser="http://service.soap.service.mule.org/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd"><saml2:Assertion ID="SAML-d328e428-1d0a-422d-b758-1408b0c010c7" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>WssTest</saml2:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI=""><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><dsig:DigestValue>xX+xxxxxxxxxx=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>mT9648OrsRiYV/xxxx/xxxxxxxx/xxxxxx==</dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509SubjectName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=US</dsig:X509SubjectName><dsig:X509Certificate>xxxxxxxxxxxx+xxxxxxxxxxxxxxxxxx=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></dsig:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="Mulesoft">o=test</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject></saml2:Assertion>
</wsse:Security>
</soap:Header>
<soap:Body>
<ser:echo>
<text>test</text>
</ser:echo>
</soap:Body>
</soap:Envelope>Signed SAML Assertion Validation Example
<wss:inbound-config name="validate-saml-config">
<wss:verify-saml-config samlVersion="SAML20"
requiredSubjectConfirmationMethod="BEARER"/>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss version="SOAP_11" config-ref="validate-saml-config"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>Unsigned SAML Assertion
|
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
Example of SAML assertion of unsigned SOAP message:
Request Example
<soap:Envelope xmlns:ser="http://service.soap.service.mule.org/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd"><saml2:Assertion ID="SAML-d328e428-1d0a-422d-b758-1408b0c010c7" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>WssTest</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="Mulesoft">o=test</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject></saml2:Assertion>
</wsse:Security>
</soap:Header>
<soap:Body>
<ser:echo>
<text>test</text>
</ser:echo>
</soap:Body>
</soap:Envelope>Unsigned SAML Assertion Validation Example
<wss:inbound-config name="validate-saml-config">
<wss:verify-saml-config samlVersion="SAML20" />
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss version="SOAP_11" config-ref="validate-saml-config"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>