0

Hi guys, I am trying to understand how the web service security headers in SOAP work.

I can see that there should be a BinarySecurityToken, a Created and Expires datetime, and a Signature portion. My questions are as follows:
- What is the BinarySecurityToken? Is it the entire certificate used for signing stuff in this message, or is it just the public key perhaps?
- What exactly gets signed to create the digital signature tag contents? Is it the text of the other three parts of the security header? Or maybe the whole soap body below?

Any help would be greatly appreciated.

Cheers,

Cameron

2
Contributors
1
Reply
3
Views
7 Years
Discussion Span
Last Post by yaronn01
0

> What is the BinarySecurityToken? Is it the entire certificate used for

signing stuff in this message, or is it just the public key perhaps?
the entire certificate including the public key. Of course not including the private key.

> What exactly gets signed to create the digital signature tag contents? Is it the text of the other three parts of the security header? Or maybe the whole soap body below?

It is up to the decision of the service writer. He can decide that all of what you mentioned is required to be signed or none of it.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.