Authentication of SOAP Requests
Which Requests Need to Be Authenticated?
Authentication requirements for the License Service requests vary for desktop products and web products:
- Desktop Products—HTTPS required
- Web Products—WS-Security and HTTPS required
WS-Security, which is officially called Web Services Security: SOAP Message Security, is an open standard published by OASIS that defines mechanisms for signing and encrypting SOAP messages. The License Service supports version 1.0 of the WS-Security specification. For more information and a link to the WS-Security 1.0 specification, go to the OASIS-Open web site for WS-Security.
The easiest way to comply with the WS-Security requirements is to use a SOAP toolkit that supports WS-Security 1.0 and X.509 certificates.
What Needs to Be Signed
You must sign the
Timestamp element, and if you're using WS-Addressing, we
recommend you also sign the
Action header element. Alternately, you can instead sign
Action header element, and the
To header element. For information about WS-Addressing, go to http://www.w3.org/Submission/ws-addressing/.
AWS requires request messages to expire so they can't be used in malicious replay attacks. The
best practice for specifying the expiration of SOAP/WS-Security requests is to include a
Timestamp element with an
Expires child element. In this case, the
message expires at the time established in the
Timestamp element is present in the request, the request is rejected as
invalid. If you include a
Timestamp element with a
Created child element
Expires child element, the message expires 15 minutes after the value of the