Skip Headers
Oracle® Fusion Middleware Release Notes
11g Release 1 (11.1.1) for Solaris Operating System (SPARC 64-Bit)

Part Number E14772-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

23 Web Services Security and Administration

This chapter describes issues associated with Web services security and administration, including Oracle Web Services Manager. It includes the following topics:

Note:

See also Section 12.33, "Web Services and XML Issues and Workarounds."

23.1 Security Issues and Workarounds

This section describes security issues and their workarounds. It includes the following topics:

23.1.1 Preventing Denial of Service Attack and Recursive Node Attack

Generally, DoS and recursive node attacks are prevented by XML Firewall solutions. Oracle SOA Suite provides capabilities to prevent denial of service attack and recursive node attack by configuring the envelope size and nesting limits in the SCABindingProperties.xml and oracle-webservices.xml. For more information, see "Configuring Security in Web Services" in Oracle Fusion Middleware Enterprise Deployment Guide for Oracle SOA Suite.

23.1.2 Guidelines for Using @SecurityPolicy Annotation

The SecurityPolicy annotations used for policy attachment to ADF and WebCenter versus WebLogic Web services are unique and not interchangeable. A security policy attachment defined in your Web service application will not be enforced in the following scenarios:

  • If you attach a security policy to a ADF or WebCenter Web service using the weblogic.wsee.jws.jaxws.owsm.SecurityPolicy annotation.

  • If you attach a security policy to a WebLogic (Java EE) Web service using the oracle.webservices.annotations.SecurityPolicy annotation.

To guarantee that a security policy attachment is enforced in your Web service application, ensure that you use the appropriate annotation in your application code:

  • oracle.webservices.annotations.SecurityPolicy—Use to attach policies to ADF or WebCenter Web services.

  • weblogic.wsee.jws.jaxws.owsm.SecurityPolicy—Use to attach policies to WebLogic (Java EE) Web services.

23.1.3 Resolving CertificateExpiredException for SAML Holder of Key Policies

For SAML holder of key policies (for example, oracle/wss10_saml_hok_with_message_protection_service_policy), a CertificateExpiredException is returned if the an expired certificate is present in the keystore, regardless of whether this certificate is being referenced. To resolve this exception, remove the expired certificate from the keystore.

23.1.4 Restarting Applications After Attaching Policies to ADF and WebCenter Applications

After attaching a policy to a Web service in an ADF or WebCenter Web service application, you need to stop and then restart the application for the change to take effect. You need to wait approximately 30 seconds (or the equivalent of the configured Graceful Shutdown Timeout time) between stopping and restarting the application. During this time, the server is allowing all global transactions to complete before shutting down the application. If you do not wait the configured Graceful Shutdown Timeout time, then the application will not be restarted appropriately and you will not be able to access it.

To avoid waiting the graceful shutdown timeout period, you can restart the application twice.

23.1.5 Attaching Policies to ADF and WebCenter Web Services in a Cluster

Policy attachment is not synchronized automatically for ADF and WebCenter Web services in a cluster. When using ADF and WebCenter Web services in a cluster, you must attach and/or detach policies to each instance of the cluster.

23.1.6 Naming Policies—oracle_<policyname> is Not Valid

You cannot prefix the name of a policy with "oracle_". For example, oracle_wss_http_token_service_policy is not a valid policy name. You must rename the policy to remove "oracle_" as the prefix.

When you export a policy using Oracle Enterprise Manager, the policy XML file is renamed from oracle/<policyname> to oracle_<policyname>. Before importing the policy file, you need to remove "oracle_" from the policy name. Otherwise, you will receive exceptions when trying to use the policy.

You can import the policy file using Oracle Enterprise Manager or MDS WLST. If importing the policy file using the MDS WLST commands, ensure that you import it within the oracle directory. For more information, see "Importing Web Service Policies" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

23.1.7 Using Multibyte User Credentials with wss_http_token_* Policy

In this release, multibyte user credentials are not supported for the wss_http_token_* policies. If multibyte user credentials are required, use a different policy, such as wss_username_token_* policy. For more information about the available policies, see "Predefined Policies" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

23.1.8 Importing Custom Policies—Delay Before Policy is Available

After importing a custom policy, there will be a delay before the policy is available.

23.1.9 Importing Custom Policies Before Attaching and Deploying to a Service Application

It is recommended that you import custom policies before attaching and deploying them to a service application.

If you deploy an application with policies that do not exist in the Metadata Store (MDS), and subsequently import the policies, you need to restart the server for the policy attachment count to be updated.

23.1.10 Performing a Bulk Upload of Policies

When performing a bulk import of policies to the MDS repository, if the operation does not succeed initially, retry the operation until the bulk import succeeds.

For the most part, this can occur for an Oracle RAC database when the database is switched during the metadata upload. If there are n databases in the Oracle RAC database, then you may need to retry this operation n times.

For more information about bulk import of policies, see "Migrating Policies" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

23.1.11 Reviewing Policy Configuration Override Values After Detaching a Client Policy

If you attach a policy to a client, override policy configuration values, and subsequently detach the policy, the policy configuration override values are not deleted. When attaching new policies to this client, ensure that you review the policy configuration override values and update them appropriately.

23.1.12 Deprecated and Unsupported Oracle Access Manager Policies

The following OAM scenario is deprecated for Oracle Fusion Middleware 11g R1:

  • Authentication between ADF client and SOA service using Oracle WSM OAM security policies. In this scenario, the ADF client sends the ObSSOCookie in the Oracle proprietary SOAP header. It is recommended that you use a SAML-based policy instead.

The following Oracle Access Manager (OAM) scenarios are not supported in Oracle Fusion Middleware 11g R1:

  • Authentication through Oracle WSM OAM service policy using ObSSOCookie in the HTTP header.

  • Authentication through Oracle WSM OAM service policy using ObSSOCookie in a proprietary SOAP header of the request sent by another service.

In each case, clients should send a SAML token instead of an ObSSOCookie.

23.2 General Issues and Workarounds

This section describes general issue and workarounds. It includes the following topic:

23.2.1 Testing Web Services If Oracle Web Services Manager Is Not Installed

If you do not elect to install Oracle Web Services Manager during your Oracle Fusion Middleware installation, the Web services test page available using Oracle Enterprise Manager will be broken.

To resolve this issue, uncomment the active.protocol property in the $domain_home/config/fmwconfig/policy-accessor-config.xml file and set it as follows:

<property name="active.protocol">classpath</property>

You must restart the server in order for the change to take effect.

23.2.2 Error When Testing a WS-Addressing Policy Attached to a SOA Composite

If you attach a WS-Addressing policy to a SOA Composite and then attempt to test the Web service in Fusion Middleware Control, you might see the following error:

java.lang.Exception: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: A required header representing a Message Addressing Property is not present

To work around this problem, click the Parse WSDL button on the Web services test page, and then re-test the Web service on the Test Web Services page:

  1. Enable the Custom option for WS-Addressing.

  2. Enter the Policy URI.

  3. Click Test Web Service.

23.2.3 Refreshing Stale Display After Assertion Deletion

If you add an assertion to a policy and subsequently delete it, in some cases the assertion details may still be displayed in the details area. If this occurs, click on another assertion in the Assertions list to refresh the display.

23.2.4 Configuring Unit of Maximum Request Size

When configuring the Web service endpoint for a SOA, ADF, or WebCenter Web service, if you set the Maximum Request Size to -1, indicating that there is no maximum request size, then the Unit of Maximum Request Size setting is irrelevant and defaults to bytes.

23.2.5 Reviewing Localization Limitations

The following information is supported in English only in this release of Oracle Enterprise Manager:

  • All fields in the policy and assertion template except the orawsp:displayName field.

  • If using the ?orawsdl browser address, the orawsp:description field.