This graphic illustrates the concept of a SOAP signature:
Using the SOAP transport hook, you can plug in security components, namely a signer and a verifier that has logging capability. The transport hook is called the EnvelopeEditor. A PluggableEnvelopeEditor is also provided, which allows you to plug in your security components. As illustrated, the EnvelopeEditor is encapsulated in the SOAPTransport on the client side. On the server side, EnvelopeEditor is encapsulated in RPC/MessageRouterServlet. This means the same components can be used on either the client or server.
See Envelope Editor for instructions on enabling and using this pluggable component.
When a client application sends a request, the request is signed and transmitted to the server. At the server, the request is verified and delivered to a server application or, in the case of a RPC, to a Java(TM) object. The response is processed in the same manner. The verifier component also has a logging function to log the verified messages in a file. Signatures and verifier components are configurable. You can specify encryption, digest message algorithm, certificate path policy, and other security technologies.
You can control and customize how the SOAP envelope performs the signature and verification processes through these components: