Soap Headers

SOAP headers convey authentication and locale-related information from the application client to the server. Note that soap headers are not used for the reverse direction, from server to client.

Security headers

The Content Engine Web Service (CEWS) complies with the OASIS WS-Security 2004 External link opens a new window or tab standard, which, although providing a general-purpose mechanism for associating security tokens with messages, does not require the use of any particular type of security token. Separate WS-Security profile specifications are available to define how WS-Security is implemented for different credential types. CEWS supports two WS-Security profiles: UsernameToken Profile and Kerberos Token Profile.

In addition to these two profiles, CEWS can support additional WS-Security credential types, by using the Web Service Extensible Authentication (WS-EAF) framework. This framework allows a custom JAAS login module to be developed and plugged into the Content Engine, allowing any valid WS-Security header to be used for authentication. Authoring a WS-EAF login module requires advanced custom development, which is specific to the Java Platform, Enterprise Edition application server that is being used. For more information, see the Web Service Extensible Authentication Framework Developer's Guide.

If your client applications use the UsernameToken Profile, which requires plaintext credentials (user name and password), configure the server to use SSL (SOAP over HTTPS) in order that this information be protected. For more information, see Content Engine Web Service Administration. If you use the Kerberos Token Profile, an SSL connection is not necessary (unless you want to protect your data), as Kerberos does not send client credentials.

Authentication information is carried in a SOAP header, which is present in every SOAP request. The format of the security header conforms to the WS-Security UsernameToken Profile, which requires a UsernameToken element with a required Username and optional Password attribute (omitting the Password attribute is equivalent to supplying a blank password). The client's UsernameToken element must be passed in the SOAP header of each CEWS request according to the WS-Security standard. The server also allows, but does not use, the Created and Nonce elements.

The following example shows the XML schema for a security header:
<wsse:Security xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>
   <wsse:UsernameToken>
      <wsse:Username>Alfred Hitchcock</wsse:Username>
      <wsse:Password>Vertigo</wsse:Password>
   </wsse:UsernameToken>
</wsse:Security>

The wsse prefix can use any of the following namespaces, reflecting different versions of the WS-Security specification:

  • http://schemas.xmlsoap.org/ws/2002/04/secext
  • http://schemas.xmlsoap.org/ws/2002/07/secext
  • http://schemas.xmlsoap.org/ws/2002/12/secext
  • http://schemas.xmlsoap.org/ws/2003/06/secext
  • http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
  • http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd

Locale-specific headers

The Content Engine Web Service supports the same level of multicultural support that is provided by the Content Engine APIs. To request a locale for rendering metadata strings and other textual information, the client can include an optional locale-specific SOAP header in any request. An effective locale that is derived from a client request is used to select locale-specific strings for metadata elements and display text.

For more information, see Localization Element.