WS Security Sign Validation Policy

General Information

Policy Type

policy-ws-security-sign-validation

UI Documentation

📖 For detailed information: [UI Documentation Link - Link will be added here]

Description

WS Security Sign Validation policy verifies WS-Security Signature elements from SOAP responses received from the backend service. It validates signatures according to WS-Security standards to ensure message integrity and authenticity.

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

Header Value
Authorization Bearer {token}

Path Parameters

Parameter Type Required Description
projectName string Yes Project name
apiProxyName string Yes API Proxy name

Response

Success Response (200 OK)

{
  "success": true,
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [],
        "responsePolicyList": [
          {
            "type": "policy-ws-security-sign-validation",
            "name": "ws-security-sign-validation-policy",
            "description": "Verify WS-Security signatures",
            "active": true,
            "enableEnhancedSignatureValidation": false,
            "enableSignatureRemovalForDereferencing": false,
            "allowCaseInsensitiveId": false,
            "verKeyStoreName": "verification-keystore",
            "removeSignature": false
          }
        ],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

cURL Example

curl -X GET \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
  -H "Authorization: Bearer YOUR_TOKEN"

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header Value
Authorization Bearer {token}
Content-Type application/json

Path Parameters

Parameter Type Required Description
projectName string Yes Project name
apiProxyName string Yes API Proxy name
policyName string Yes Policy name

Request Body

Full JSON Body Example - Standard Validation
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-sign-validation",
    "description": "Verify WS-Security signatures",
    "active": true,
    "enableEnhancedSignatureValidation": false,
    "enableSignatureRemovalForDereferencing": false,
    "allowCaseInsensitiveId": false,
    "verKeyStoreName": "verification-keystore",
    "removeSignature": false
  }
}
Full JSON Body Example - Enhanced Validation
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-sign-validation",
    "description": "Verify with enhanced validation",
    "active": true,
    "enableEnhancedSignatureValidation": true,
    "enableSignatureRemovalForDereferencing": false,
    "allowCaseInsensitiveId": false,
    "verKeyStoreName": "verification-keystore",
    "removeSignature": false
  }
}
Full JSON Body Example - Remove Signature After Validation
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-sign-validation",
    "description": "Verify and remove signature",
    "active": true,
    "enableEnhancedSignatureValidation": false,
    "enableSignatureRemovalForDereferencing": false,
    "allowCaseInsensitiveId": false,
    "verKeyStoreName": "verification-keystore",
    "removeSignature": true
  }
}
Full JSON Body Example - Case Insensitive ID Matching
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-ws-security-sign-validation",
    "description": "Verify with case insensitive matching",
    "active": true,
    "enableEnhancedSignatureValidation": false,
    "enableSignatureRemovalForDereferencing": false,
    "allowCaseInsensitiveId": true,
    "verKeyStoreName": "verification-keystore",
    "removeSignature": false
  }
}
Request Body Fields
operationMetadata
Field Type Required Default Description
targetScope string Yes - Policy scope: ALL or ENDPOINT
targetEndpoint string No* - Endpoint path (required if targetScope=ENDPOINT)
targetEndpointHTTPMethod string No* - HTTP method (required if targetScope=ENDPOINT)
targetPipeline string Yes - Pipeline: REQUEST, RESPONSE, or ERROR
deploy boolean No true Whether to deploy after adding policy
deployTargetEnvironmentNameList array No [] List of environment names to deploy to
order integer No null Policy execution order (starts from 1)

Enum: targetScope

  • ALL - Policy applies to all endpoints
  • ENDPOINT - Policy applies only to specified endpoint

Enum: targetPipeline

  • REQUEST - Executes in request pipeline (verifies incoming request signatures)
  • RESPONSE - Executes in response pipeline (verifies backend response signatures)
  • ERROR - Executes in error pipeline

Enum: targetEndpointHTTPMethod

  • GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
policy
Field Type Required Default Description
type string Yes - Policy type: policy-ws-security-sign-validation
description string No - Policy description
active boolean No true Whether policy is active
enableEnhancedSignatureValidation boolean No false Enable enhanced signature validation
enableSignatureRemovalForDereferencing boolean No false Enable signature removal for dereferencing
allowCaseInsensitiveId boolean No false Allow case insensitive ID attribute matching (for cross-platform compatibility)
verKeyStoreName string Yes - Verification keystore name
removeSignature boolean No false Remove signature after validation

Note

  • verKeyStoreName is required.

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

cURL Example

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/ws-security-sign-validation-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "RESPONSE",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["production"],
      "order": 1
    },
    "policy": {
      "type": "policy-ws-security-sign-validation",
      "description": "Verify WS-Security signatures",
      "active": true,
      "enableEnhancedSignatureValidation": false,
      "enableSignatureRemovalForDereferencing": false,
      "allowCaseInsensitiveId": false,
      "verKeyStoreName": "verification-keystore",
      "removeSignature": false
    }
  }'

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header Value
Authorization Bearer {token}
Content-Type application/json

Path Parameters

Parameter Type Required Description
projectName string Yes Project name
apiProxyName string Yes API Proxy name
policyName string Yes Policy name

Request Body

Note: Request body structure is the same as Add Policy. All fields should be provided for update.

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header Value
Authorization Bearer {token}
Content-Type application/json

Path Parameters

Parameter Type Required Description
projectName string Yes Project name
apiProxyName string Yes API Proxy name
policyName string Yes Policy name

Request Body

Full JSON Body Example
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "RESPONSE",
    "deploy": false
  }
}

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": []
  }
}

Notes and Warnings

  • Signature Verification:
    • Verifies WS-Security signatures from backend responses
    • Ensures message integrity and authenticity
    • Requires verification keystore with appropriate public keys/certificates
  • Enhanced Validation:
    • enableEnhancedSignatureValidation: true - Enables enhanced signature validation
    • Provides more thorough validation checks
    • May be slower but more secure
  • Signature Removal:
    • removeSignature: true - Removes signature after validation
    • Useful when signature is not needed downstream
    • Signature is removed only after successful validation
  • Signature Removal for Dereferencing:
    • enableSignatureRemovalForDereferencing: true - Enables signature removal for dereferencing
    • Used in specific scenarios where signature needs to be removed during dereferencing
  • Case Insensitive ID Matching:
    • allowCaseInsensitiveId: true - Allows matching ID attributes regardless of case
    • Useful for cross-platform compatibility (e.g., .NET vs Java)
    • May be necessary when backend uses different ID attribute casing
  • Key Store:
    • Verification keystore must be configured in Apinizer
    • Keystore must contain appropriate public keys/certificates
    • Keys must match those used by the backend service for signing
  • Performance: Signature verification adds cryptographic processing overhead. Use for necessary security only.
  • Pipeline:
    • REQUEST pipeline verifies incoming request signatures
    • RESPONSE pipeline verifies backend response signatures (most common)
  • Error Handling:
    • Signature verification failure causes policy to fail
    • Invalid keystore or missing keys causes policy to fail
    • Invalid signature causes request/response to be rejected
  • Deployment: Policy changes require deployment to take effect. Set deploy: true or deploy manually.