Exam 70-554 - Add a digital signature to a SOAP message and verify an existing SOAP message signature.

Section 1

  • Part 3
    • Topic 2

Add a digital signature to a SOAP message and verify an existing SOAP message signature.

  • Sign a SOAP message digitally.
  • Verify a signed SOAP message.


WSE 3.0 enables developers to sign SOAP Messages by attaching a digital signature that can be verified. When you digitally sign the message, the message itself is still in plain text, it just allows the receiver to verify the message sender’s identity and that it was unaltered. There are several types of security tokens that can be used to sign a SOAP message including: X509 Certificate, Username token, Kerberos Ticket, Security Context token or custom token.

To digitally sign a SOAP message you must create a custom policy assertion that secures SOAP Messages. To do this you must create a classes that inherits from the ReceiveSecurityFilter class and classes that inherits from SendSecurityFilter Class. You need one set of classes for the Client and one set for the Server. In the SendSecurityFilter classes you will override the SecureMessage Method and add the token to the base classes security.tokens collection. Then create an instance of the MessageSignature class passing the token into the constructor. Then you add the signature to the security Elements collection of the base class. The following is an example of signing a message with a Kerberos token from msdn:

public override void SecureMessage(SoapEnvelope envelope, Security security)
KerberosToken kerbToken = new KerberosToken("host/" + hostname + "@" + domainName); // Add the security token.
security.Tokens.Add(kerbToken); // Specify the security token to sign the message with.
MessageSignature sig = new MessageSignature(kerbToken); // Add the digital signature to the SOAP message.
security.Elements.Add(sig); }

To verify the signature on the other side you will need to override the ValidateMessageSecurity method. In this method you will need to iterate through the security elements collection and check if each item is an instance of MessageSignature. The following example from msdn checks that the message was signed using a username token.

public override void ValidateMessageSecurity(SoapEnvelope envelope, Security security)
bool IsSatisfied = false;
foreach (ISecurityElement element in security.Elements)
if (element is MessageSignature)
MessageSignature sig = element as MessageSignature;
SignatureOptions expectedOptions = SignatureOptions.IncludeTimestamp |
SignatureOptions.IncludeSoapBody |
SignatureOptions.IncludeTo |
SignatureOptions.IncludeAction |
if ((sig.SignatureOptions & expectedOptions) == expectedOptions)
// The SOAP message is signed.
if (sig.SigningToken is UsernameToken)
// The SOAP message is signed
// with a UsernameToken.
IsSatisfied = true;
} if (!IsSatisfied)
throw new SecurityFault("Signature Requirements not Satisfied");

Other Resources & Links:

Digitally Signing a SOAP Message

How to: Digitally Signing a SOAP Message

How to: Create a Custom Policy Assertion that Secures SOAP Messages

How to: Determine Which Parts of a SOAP Message Were Signed or Encrypted

Exam 70-554 - Encrypt and decrypt a SOAP message.

Exam 70-554 - Enable WSE in client and server applications.