2.2.1 Security Element

  • Article

The <Security> element is specified in [WSS1] section 5, [WSS] section 5, and [BSP] section 5. It is a container element for binding a user's credentials (in the form of tokens and signatures) to a SOAP message when adding/verifying client authentication data to a SOAP message.

When used to add authentication data to a SOAP request message, the <Security> element is composed of a combination of child elements from the following list. The <Security> element MUST only contain child elements from the following:

  • Zero or one <Timestamp> element as defined in section 2.2.1.2.

  • Zero or one <BinarySecurityToken> element as defined in section 2.2.1.3.

  • Zero or one <UsernameToken> element as defined in section 2.2.1.4.

  • Zero or one <SecurityContextToken> element as defined in section 2.2.1.5.

  • Zero or one <Assertion> element as defined in section 2.2.1.6.

  • Zero, one, or multiple <Signature> elements as defined in section 2.2.1.7.

If at least one <Signature> element is present in the <Security> element, the <Timestamp> element MUST be present as well. Otherwise, the <Timestamp> element is optional.

When used to add authentication data to a SOAP response message, the <Security> element is composed of a combination of child elements from the following list. The <Security> element MUST only contain child elements from the following:

  • Zero or one <Timestamp> element as defined in section 2.2.1.2.