完整性的现时标志用于指定在特殊元素中嵌入了现时标志并且标记了该元素。现时标志是随机生成的密码令牌。当将现时标志添加到特定的消息部件时,它可以阻止偷盗和重放攻击,因为生成的现时标志是唯一的。例如,没有现时标志的话,当使用非安全传输(如 HTTP)从一台机器向另一台机器传递用户名令牌时,令牌可能会被拦截并用于重放攻击中。即使使用 XML 数字签名和 XML 加密,用户名令牌也可能被盗取。然而,添加现时标志会阻止此问题。
当为请求生成者或响应生成者配置生成者安全性约束时,完成下列步骤以使用关键字来指定完整性的现时标志。请求生成者是为客户机配置的,而响应生成者是为服务器配置的。在以下步骤中,您必须在步骤 2 中配置客户端扩展或在步骤 3 中配置服务器端扩展。
以下示例是具有插入到 SOAP 消息体并标记的现时标志的 SOAP 消息:
<soapenv:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/ wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="x509bst_1179110083179840266" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecurity-utility-1.0.xsd"> E21hcnV5YW1hQGpwLmlibS5jb22CAgEBMA0GCSqGSIb3 DQEBBQUAA4GBAHkthdGDgCvdIL9/vXUo74xpfOQd/rr1owBmMdb1TWdOyzwbOHC7lkUlnKrkI7SofwSLSDUP571iiMX Ux3tRdmAVCoDMMFuDXh9V7212luXccx0s1S5KN0D3xW97LLNegQC0/b+aFD8XKw2U5ZtwbnFTRgs097dmz09RosDKkLlM </wsse:BinarySecurityToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="wsse ds xsi soapenc xsd soapenv " xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#wssecurity_signature_id_8451968259110349556"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="xsi soapenc xsd wsu soapenv " xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>HgfL7FiG/TGECE/L0zg5mJldfgc=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>iE2G53VMwCFBI6BwOWiaOLYvemZUJTXJocXpy8loyW1LiR8bBQcFioDOuDXXzVj3K+ZD2p Yhc0krVYqkYY0IZoRx7xpWt+9qn7aSbxKjuHlMFNCdB1Uxp608zCZcSwvuoCffjlO0ltUQ8JTEBnmMB0cfaoiG5bF kUOEpkFo2P9c=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#x509bst_1179110083179840266" ValueType="http://docs.oasis-open.org/ wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" wsu:Id="wssecurity_signature_id_8451968259110349556" xmlns:wsu="http://docs.oasis-open.org/ wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <getVersion/> <wsse:Nonce wasextention="wedsig" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecurity-secext-1.0.xsd">1u0otbnjkPiCWDhh25yEyBHD/r3VPSbQ1oZTs0Ks1GE/iDL4YbKDT wdL+e2Hb7nNZn397nRJQ9ePGgf7PRdEuqATFbfq0/T+6j6Fk/MbSHmZnHHoBscFX8W/dYssyCmWDp99447kRhnJbNg5JxarkFmM LqpxKfm1iP3hKP5DpJY=</wsse:Nonce> </soapenv:Body> </soapenv:Envelope>