<Confidentiality> Element

  • Article

Specifies the encryption requirements for a SOAP message.

<policyDocument> Element
  <policies> Element
    <Policy> Element (WSE for Microsoft .NET) (1)

<Confidentiality wsp:Usage="..." wsp:Preference="..." >
  <Algorithm Type="wsse:AlgEncryption" 
             URI="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
             wsp:Preference="1"/>
  <KeyInfo>
    <SecurityToken />
    <SecurityTokenReference />
  </KeyInfo>
  <MessageParts Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
  </MessageParts>
</Confidentiality>

Attributes and Elements

Attributes

Attribute Description

wsp:Usage

Required attribute. Must be wsp:Required. Setting the attribute to wsp:Required specifies that the SOAP message must be signed as specified by the assertion.

wsp:Preference

Optional attribute. Specifies the preferred alternative when multiple alternatives to satisfy a policy exist. The preference is expressed as an xsd:int. The higher the value of the preference, the greater the weighting of the expressed preference. If no preference is specified, a value of zero is assumed.

Child Elements

Element Description

<Algorithm> Element for <Confidentiality>

Optionally, specifies the algorithm to use to compute the encrypted data. WSE supports wsse:AlgEncryption.

<KeyInfo> Element (WSE for Microsoft .NET) (1)

Specifies the type of security token that must be used to encrypt the SOAP message.

<MessageParts> Element for <Confidentiality> Element

Specifies the portions of the SOAP message that must be encrypted.

Parent Elements

Element Description

<Policy> Element (WSE for Microsoft .NET) (1)

Specifies a SOAP message requirement.

Remarks

The <Confidentiality> element must contain a <KeyInfo> Element (WSE for Microsoft .NET) (1) element that contains a security token type supported by WSE.

WSE supports encryption of the <Body> element and of Username tokens, so the only valid value for the <MessageParts> element are wsp:Body() and wse:UsernameToken().

The following table lists the possible values for the wsp:Usage attribute, as defined by the WS-Policy specification. WSE only supports the wsp:Required value for the wsp:Usage attribute. That is, only "required" assertions will get their policy enforcers invoked during enforcement.

Value Description

wsp:Required

Indicates that SOAP messages must be encrypted as specified in the assertion.

wsp:Rejected

Indicates that SOAP messages that are encrypted as specified in the assertion are explicitly not supported.

wsp:Optional

Indicates that SOAP messages can be optionally encrypted as specified in the assertion.

wsp:Observed

Indicates that SOAP messages must be encrypted as specified in the assertion.

wsp:Ignored

Indicates that SOAP messages are not processed to determine if they meet this encryption requirement.

Example

The following code example defines a policy assertion named encrypted-body-x509 that requires the encryption of the <Body> element by an X509SecurityToken and that SOAP messages sent to the http://www.cohowinery.com/Service1.asmx endpoint adhere to the policy assertion.

Note

This code example is designed to demonstrate WSE features and is not intended for production use.

<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="https://schemas.microsoft.com/wse/2003/06/Policy">
  <mappings>
    <endpoint uri="http://www.cohowinery.com/Service1.asmx">
      <defaultOperation>
        <request policy="#encrypted-body-x509" />
        <response policy="" />
        <fault policy="" />
      </defaultOperation>
    </endpoint>
  </mappings>
  <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wse="https://schemas.microsoft.com/wse/2003/06/Policy"
            xmlns:wsa="https://schemas.xmlsoap.org/ws/2004/03/addressing"
            xmlns:wssp="https://schemas.xmlsoap.org/ws/2002/12/secext"
            xmlns:wsp="https://schemas.xmlsoap.org/ws/2002/12/policy"
            xmlns:wssc="https://schemas.xmlsoap.org/ws/2004/04/sc"
            xmlns:rp="https://schemas.xmlsoap.org/rp">
    <!--This policy requires that the body be encrypted by an X509
        security token.-->
    <wsp:Policy wsu:Id="encrypted-body-x509">
      <wssp:Confidentiality wsp:Usage="wsp:Required">
        <wssp:KeyInfo>
          <wssp:SecurityToken>
            <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
          </wssp:SecurityToken>
        </wssp:KeyInfo>
        <wssp:MessageParts xmlns:rp="https://schemas.xmlsoap.org/rp" Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
      </wssp:Confidentiality>
    </wsp:Policy>
  </policies>
</policyDocument>

See Also

Reference

<Algorithm> Element for <Confidentiality>
<KeyInfo> Element (WSE for Microsoft .NET) (1)
<MessageParts> Element for <Confidentiality> Element

Concepts

Policy File Schema

Other Resources

Configuring a Web Service's Policy