<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd"><xenc:EncryptedKey Id="EK-D77EFA434E6694DA5315531006937483" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=OLEKSIYS-W3T,OU=Sun Java System Application Server,O=Sun Microsystems,L=Santa Clara,ST=California,C=US</ds:X509IssuerName><ds:X509SerialNumber>1182300426</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-D77EFA434E6694DA5315531006937494"/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header>
<soap:Body><xenc:EncryptedData Id="ED-D77EFA434E6694DA5315531006937494" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-D77EFA434E6694DA5315531006937483"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body>
</soap:Envelope>
Validate Operation Examples
This validate
operation validates an incoming SOAP request that contains WSS information. The WSS module validates the request against a WssInboundConfig
configuration.
Name | M | ES | Default Value | Type | Description |
---|---|---|---|---|---|
|
Yes |
No |
n.a. |
|
SOAP request |
|
No |
No |
|
|
SOAP protocol version |
The output is the same SOAP request received. The operation does not return any attributes.
Namespace | Type | Parent | Description |
---|---|---|---|
WSS |
SECURITY_VALIDATING |
n.a. |
Thrown when the request is not valid or no WS-Security information is found |
WSS |
MISSING_CERTIFICATE |
n.a. |
Thrown when unable to get a certificate from either the truststore or the keystore |
Decryption
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
This example shows you how to decrpyt a request using a keystore:
------=_Part_8049_2119795515.1555963425591
Content-Type: application/soap+xml
Content-ID: main
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd"><xenc:EncryptedKey Id="EK-D77EFA434E6694DA5315531006937483" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=OLEKSIYS-W3T,OU=Sun Java System Application Server,O=Sun Microsystems,L=Santa Clara,ST=California,C=US</ds:X509IssuerName><ds:X509SerialNumber>1182300426</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-D77EFA434E6694DA5315531006937494"/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></soap:Header>
<soap:Body><xenc:EncryptedData Id="ED-D77EFA434E6694DA5315531006937494" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-D77EFA434E6694DA5315531006937483"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body>
</soap:Envelope>
------=_Part_8049_2119795515.1555963425591
Content-Type: application/json
Content-Disposition: related; name="file1"; filename="a.json"
Content-ID: file1
{
"title": "Java 8 in Action",
"author": "Mario Fusco",
"year": 2014
}
------=_Part_8049_2119795515.1555963425591--
<wss:inbound-config name="decryption-config">
<wss:decryption-config>
<wss:keystore-config path="certificates/decrypt-keystore.jks"
password="password"
alias="alias"
keyPassword="key" />
</wss:decryption-config>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss config-ref="decryption-config" version="SOAP_12"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>
UsernameToken Validation
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
The following examples show you how to validate against either an LDAP server or a provided username/password credentials pair.
Use LDAP authentication to validate multiple users. Credentials validation does not support validation of multiple users.
LDAP Authentication
This example shows usernameToken
validation against an LDAP server. The username and password from the request are validated in the LDAP server.
<soap:Envelope xmlns:ser="http://service.util.soap.mule.org/" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-D77EFA434E6694DA53155311225135914">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<ser:echo>
<text>test username</text>
</ser:echo>
</soap:Body>
</soap:Envelope>
<wss:inbound-config name="ldap-config">
<wss:username-config>
<wss:authenticate-user-config>
<wss:ldap-config providerUrl="ldap://localhost:${LDAP_PORT}"
userDn="cn=admin,dc=example,dc=com"
password="password"
searchBase="ou=people,dc=example,dc=com"
searchFilter="(uid={0})"
searchInSubtree="false"/>
</wss:authenticate-user-config>
</wss:username-config>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss config-ref="ldap-config" version="SOAP_12"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>
Credentials Authentication
This example shows a usernameToken
validation against a configured pair of username and password:
<soap:Envelope xmlns:ser="http://service.util.soap.mule.org/" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-D77EFA434E6694DA53155311225135914">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">username</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<ser:echo>
<text>test username</text>
</ser:echo>
</soap:Body>
</soap:Envelope>
------=_Part_8049_2119795515.1555963425591
Content-Type: application/soap+xml
Content-ID: main
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd" wsu:Id="UsernameToken-D77EFA434E6694DA53155311225135914">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">username</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<ser:echo xmlns:ser="http://service.util.soap.mule.org/">
<text>test username</text>
</ser:echo>
</soap:Body>
</soap:Envelope>
------=_Part_8049_2119795515.1555963425591
Content-Type: application/json
Content-Disposition: related; name="file1"; filename="a.json"
Content-ID: file1
{
"title": "Java 8 in Action",
"author": "Mario Fusco",
"year": 2014
}
------=_Part_8049_2119795515.1555963425591--
<wss:inbound-config name="username-config">
<wss:username-config>
<wss:authenticate-user-config>
<wss:credentials-config username="username" password="password"/>
</wss:authenticate-user-config>
</wss:username-config>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/orderTshirt" />
<wss:validate-wss config-ref="username-config" />
<flow-ref name="OrderTshirtFlowImpl" />
</flow>
Validate Signature
The following examples show you how to validate signatures in your incoming requests against a configured trustore, a binary security token, or a X.509 certificate.
Trustore
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
Example of validation of the request signature against a configured truststore to ensure that only valid messages from trusted senders are received:
<soapenv:Envelope xmlns:ser="http://service.soap.service.mule.org/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd"><ds:Signature Id="SIG-F8FAC4A91BEF76355615530303348205" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ser soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-F8FAC4A91BEF76355615530303348174"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ser" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>yLFLEkH4/MjYbZ4viZxjou9/4os=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>xxxxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxX+xxxxxxxxxxxxxxxxxxxx/xxxxxxxx
xxxxxxx/xxxxxxxxxx
xxxxxxxx+xxx/xxxxxxxxxxx==</ds:SignatureValue><ds:KeyInfo Id="KI-F8FAC4A91BEF76355615530303348132"><wsse:SecurityTokenReference wsu:Id="STR-F8FAC4A91BEF76355615530303348153"><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=US</ds:X509IssuerName><ds:X509SerialNumber>1545521240</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-F8FAC4A91BEF76355615530303348174" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd">
<ser:echo>
<text>test</text>
</ser:echo>
</soapenv:Body>
</soapenv:Envelope>
<wss:inbound-config name="validate-signature-config">
<wss:verify-signature-config>
<wss:truststore-config path="certificates/verify-signature-truststore.jks" password="mulepassword"/>
</wss:verify-signature-config>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss config-ref="validate-signature-config"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>
BinarySecurityToken Signature
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
Example of validation against the truststore of a request signed with a binary security token.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wor="http://snowyhydro.com.au/workorder-service">
<soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.1#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.1#X509PKIPathv1" wsu:Id="X509-B1C61A5DA2BB64CA6A15792851906729">xxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx+xxxxxx/xxxxxxxxxxxxxx</wsse:BinarySecurityToken><ds:Signature Id="SIG-B1C61A5DA2BB64CA6A157928519067613" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="soapenv wor" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-B1C61A5DA2BB64CA6A157928519067312"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="wor" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>H/d9uuvKNSGhJPNoJtm1DhWBQmI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>xxxxxxxxx+xxxx/xxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==</ds:SignatureValue><ds:KeyInfo Id="KI-B1C61A5DA2BB64CA6A157928519067210"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.1#X509PKIPathv1" wsu:Id="STR-B1C61A5DA2BB64CA6A157928519067211" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#X509-B1C61A5DA2BB64CA6A15792851906729" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.1#X509PKIPathv1"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-B1C61A5DA2BB64CA6A157928519067312" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd">
<wor:Workorder>
<InitiatingEvent>?</InitiatingEvent>
<OriginatingDocumentNumber>?</OriginatingDocumentNumber>
<StandardJob>?</StandardJob>
<WorkorderDescription>?</WorkorderDescription>
<Originator>?</Originator>
<MaintenanceType>?</MaintenanceType>
<EquipmentReference>?</EquipmentReference>
<WorkorderType>?</WorkorderType>
<WorkGroup>?</WorkGroup>
<AccountCode>?</AccountCode>
</wor:Workorder>
</soapenv:Body>
</soapenv:Envelope>
<wss:inbound-config name="validate-signature-config">
<wss:verify-signature-config>
<wss:truststore-config path="certificates/sign-keystore.jks" password="mulepassword"/>
</wss:verify-signature-config>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss config-ref="validate-signature-config"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>
X.509 Certificate
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
The following example shows validation of an X.509 certificate issuer by pattern:
<soapenv:Envelope xmlns:ser="http://service.soap.service.mule.org/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd"><ds:Signature Id="SIG-F8FAC4A91BEF76355615530303348205" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ser soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-F8FAC4A91BEF76355615530303348174"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ser" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>yLFLEkH4/MjYbZ4viZxjou9/4os=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>xxxxxxxxxxx==</ds:SignatureValue><ds:KeyInfo Id="KI-F8FAC4A91BEF76355615530303348132"><wsse:SecurityTokenReference wsu:Id="STR-F8FAC4A91BEF76355615530303348153"><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=US</ds:X509IssuerName><ds:X509SerialNumber>1545521240</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-F8FAC4A91BEF76355615530303348174" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd">
<ser:echo>
<text>test</text>
</ser:echo>
</soapenv:Body>
</soapenv:Envelope>
<wss:inbound-config name="validate-signature-config">
<wss:verify-signature-config issuerPattern="CN=Unknown.*">
<wss:truststore-config path="certificates/verify-signature-truststore.jks" password="mulepassword"/>
</wss:verify-signature-config>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss config-ref="validate-signature-config"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>
Validate Timestamp
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
This example shows you how to validate the <wsu:Timestamp>
element in your incoming SOAP requests:
<soap:Envelope xmlns:ser="http://service.util.soap.mule.org/" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.1.xsd">
<wsu:Timestamp wsu:Id="TS-D77EFA434E6694DA5315531011197435">
<wsu:Created>2001-09-13T08:42:00Z</wsu:Created>
<wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<ser:echo>
<text>test timestamp</text>
</ser:echo>
</soap:Body>
</soap:Envelope>
<wss:inbound-config name="timestamp-config">
<wss:timestamp-config timeToLive="100" precisionInMilliseconds="true"/>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss config-ref="timestamp-config"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>
Validate SAML
The following examples show you how to validate both signed or unsigned SAML assertions in your incoming SOAP requests.
Signed SAML Assertion
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
Example of a signed SAML assertion that requires the Subject Confirmation Method
to be Bearer
:
<soap:Envelope xmlns:ser="http://service.soap.service.mule.org/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd"><saml2:Assertion ID="SAML-d328e428-1d0a-422d-b758-1408b0c010c7" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>WssTest</saml2:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI=""><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><dsig:DigestValue>xX+xxxxxxxxxx=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>mT9648OrsRiYV/xxxx/xxxxxxxx/xxxxxx==</dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509SubjectName>CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=US</dsig:X509SubjectName><dsig:X509Certificate>xxxxxxxxxxxx+xxxxxxxxxxxxxxxxxx=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></dsig:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="Mulesoft">o=test</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject></saml2:Assertion>
</wsse:Security>
</soap:Header>
<soap:Body>
<ser:echo>
<text>test</text>
</ser:echo>
</soap:Body>
</soap:Envelope>
<wss:inbound-config name="validate-saml-config">
<wss:verify-saml-config samlVersion="SAML20"
requiredSubjectConfirmationMethod="BEARER"/>
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss version="SOAP_11" config-ref="validate-saml-config"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>
Unsigned SAML Assertion
Do not apply transformations to your message’s payload when performing cryptographic operations. Transform operations don’t exclude cryptographic signatures. |
Example of SAML assertion of unsigned SOAP message:
<soap:Envelope xmlns:ser="http://service.soap.service.mule.org/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.1.xsd"><saml2:Assertion ID="SAML-d328e428-1d0a-422d-b758-1408b0c010c7" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>WssTest</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="Mulesoft">o=test</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject></saml2:Assertion>
</wsse:Security>
</soap:Header>
<soap:Body>
<ser:echo>
<text>test</text>
</ser:echo>
</soap:Body>
</soap:Envelope>
<wss:inbound-config name="validate-saml-config">
<wss:verify-saml-config samlVersion="SAML20" />
</wss:inbound-config>
<flow name="OrderTshirtServiceFlow">
<http:listener config-ref="HTTP-listener-config" path="/order" />
<wss:validate-wss version="SOAP_11" config-ref="validate-saml-config"/>
<flow-ref name="OrderTshirtFlowImpl" />
</flow>