         | Did this page help you? Yes No Tell us about it... |
Authentication of SOAP Requests
Topics
Which Requests Need to Be Authenticated?
Authentication requirements for the License Service requests vary for desktop products and web products:
- Desktop Products—HTTPS required
- Web Products—WS-Security and HTTPS required
About WS-Security
WS-Security, which is officially called Web Services Security: SOAP Message Security, is an open standard published by OASIS that defines mechanisms for signing and encrypting SOAP messages. The License Service supports version 1.0 of the WS-Security specification. For more information and a link to the WS-Security 1.0 specification, go to the OASIS-Open web site for WS-Security.
![[Tip]](http://docs.amazonwebservices.com/docs-common/images/tip.png) | Tip |
|---|---|
The easiest way to comply with the WS-Security requirements is to use a SOAP toolkit that supports WS-Security 1.0 and X.509 certificates. |
What Needs to Be Signed
You must sign the Timestamp element, and if you're using WS-Addressing, we
recommend you also sign the Action header element. Alternately, you can instead sign
Timestamp, Body, the Action header element, and the
To header element. For information about WS-Addressing, go to http://www.w3.org/Submission/ws-addressing/.
Message Expiration
AWS requires request messages to expire so they can't be used in malicious replay attacks. The
best practice for specifying the expiration of SOAP/WS-Security requests is to include a
Timestamp element with an Expires child element. In this case, the
message expires at the time established in the Expires element.
If no Timestamp element is present in the request, the request is rejected as
invalid. If you include a Timestamp element with a Created child element
but no Expires child element, the message expires 15 minutes after the value of the
Created element.
