Share via

<MessagePredicate> Element

  • Article

Specifies the XML elements that incoming SOAP messages must contain.

<policyDocument> Element
  <policies> Element
    <Policy> Element (WSE for Microsoft .NET) (1)

<MessagePredicate 
  Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
  wsp:Body() wsp:Header(headerName) wse:Timestamp()
  wse:UsernameToken() wse:Addressing()
</MessagePredicate>

Attributes and Elements

Attributes

Attribute Description

wsp:Dialect

Required attribute. Specifies how the XML elements are specified. This must be https://schemas.xmlsoap.org/2002/12/wsse#part.

Child Elements

None

Parent Elements

Element Description

<Policy> Element (WSE for Microsoft .NET) (1)

Specifies a SOAP message requirement.

Text Value

A text value is required. The text value specifies the XML elements that incoming SOAP messages must contain. The XML elements, which are known as message parts are each separated by a space.

The following table lists the valid message parts for the <MessagePredicate> element.

Message Part Description

wsp:Body()

The <Body> element of the SOAP message. This assumes that the wsp namespace prefix is mapped to the https://schemas.xmlsoap.org/ws/2002/12/policy namespace.

wsp:Header( headerName )

The SOAP header specified in the headerName parameter. For example, to specify the To SOAP header specified in the WS-Addressing specification, use wsp:Header(wsa:To). This assumes that the wsp and wsa namespace prefixes are mapped to the https://schemas.xmlsoap.org/ws/2002/12/policy and https://schemas.xmlsoap.org/ws/2004/03/addressing namespaces, respectively. Custom SOAP headers are allowed for Integrity only if they are one level below <soap:Header>.

wse:TimeStamp()

The <Timestamp> element within the Security SOAP header. This assumes that the wse namespace prefix is mapped to the https://schemas.microsoft.com/wse/2003/06/Policy namespace.

wse:UsernameToken()

All Username tokens in the SOAP header. This assumes that the wse namespace prefix is mapped to the https://schemas.microsoft.com/wse/2003/06/Policy namespace.

wse:Addressing

All addressing headers in the SOAP header. This assumes that the wse namespace prefix is mapped to the https://schemas.microsoft.com/wse/2003/06/Policy namespace.

Remarks

When using policy to require digital signatures on incoming SOAP messages, always use the <MessagePredicate> element. WSE uses the <MessagePredicate> element to determine which XML elements to check for in the SOAP message. Adding an <Integrity> Element element to a policy file specifies that a digital signature must exist, but only if the XML elements specified in the <Integrity> element exist in the SOAP message. If they do not, the SOAP message satisfies the requirements of the policy and is allowed to access the Web service. To remedy this potential problem, add a <MessagePredicate> element that specifies the XML elements that must exist in the incoming SOAP message.

Note

The <MessagePredicate> element is verified only on incoming SOAP messages

Example

The following code example requires that incoming SOAP messages contain a SOAP body, timestamp header, and all addressing headers that are signed by a Kerberos ticket.

Note

This code example is designed to demonstrate WSE features and is not intended for production use.

<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="https://schemas.microsoft.com/wse/2003/06/Policy">
  <mappings xmlns:wse="https://schemas.microsoft.com/wse/2003/06/Policy">
    <endpoint uri="https://localhost/KerberosPolicyService/KerberosService.asmx">
      <defaultOperation>
        <request policy="#SignAndEncryptWithKerb" />
        <response policy="" />
        <fault policy="" />
      </defaultOperation>
    </endpoint>
  </mappings>
  <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsp:Policy wsu:Id="SignAndEncryptWithKerb"
      xmlns:wsp="https://schemas.xmlsoap.org/ws/2002/12/policy"
      xmlns:wsa="https://schemas.xmlsoap.org/ws/2004/03/addressing" >
      <wsp:MessagePredicate         Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">          wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action)           wsp:Header(wsa:MessageID) wsp:Header(wsa:From)      </wsp:MessagePredicate>
      <wssp:Integrity wsp:Usage="wsp:Required"
        xmlns:wssp="https://schemas.xmlsoap.org/ws/2002/12/secext">
        <wssp:TokenInfo>
          <SecurityToken
            xmlns="https://schemas.xmlsoap.org/ws/2002/12/secext">
            <wssp:TokenType
              xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">https://schemas.xmlsoap.org/ws/2003/12/kerberos/Kerberosv5ST</wssp:TokenType>
          </SecurityToken>
        </wssp:TokenInfo>
        <wssp:MessageParts Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
            wsp:Body() wse:Timestamp() wse:Addressing()
        </wssp:MessageParts>
      </wssp:Integrity>
    </wsp:Policy>
  </policies>
</policyDocument>

See Also

Reference

<Policy> Element (WSE for Microsoft .NET) (1)
<Integrity> Element

Concepts

Policy File Schema

Other Resources

Configuring a Web Service's Policy