WebLogic Workshop provides message-level security for web services through an implementation of the WS-Security Oasis web service security standard. WS-Security lets you secure the SOAP messages passed between web services using (1) security tokens, (2) digital signatures, and (3) encryption.
Although WebLogic Workshop supports both transport and message-level security, it is generally not necessary to use both sorts of security to secure a web service. In most cases, developers should choose one or the other type of security to secure their web services.
Security Tokens
Security tokens are credentials used for authentication, authorization, or both. The WebLogic Workshop implementation supports two types of tokens. (1) Username and password tokens, and (2) X509 Binary Security Tokens.
When a X509 Binary Security Token accompanies an inbound SOAP message, the token is passed to the WebLogic Server security framework for authentication.
To include a Binary Security Token in an outbound SOAP
message, you specify that you want to sign the outbound
message. Signing the SOAP message will automatically include a X.509
BinarySecurityToken
in the message. Note that sending a X509/Binary
Security Token
without signing the outbound SOAP message is not supported.
Digital Signatures
Digital signatures are used for two purposes: (1) to authenticate the identity of the sender and (2) to ensure the integrity of SOAP messages. If any part of an incoming SOAP message has been changed in transport, the signature validation performed by the recipient will fail. In WebLogic Workshop, if you require XML signatures for incoming SOAP messages, the SOAP body must be digitally signed to be processed by the web service.
By default, digital signatures are applied only to the body of outgoing SOAP messages. You must specifically provide for the signing of elements in the header. For details see <addtionalSignedElements> in the WS-Security reference documentation.
Encryption
Encryption is used to encrypt either the body of the SOAP message, the header, or both. If your web service requires encryption for incoming messages, then, at a minimum, the body of incoming SOAP messages must be encrypted.
For outgoing SOAP messages, encryption is applied only to the SOAP body by default. You must specifically provide for the encryption of elements in the header. For details see <addtionalEncryptedElements> in the WS-Security reference documentation.
Note that keys used in WebLogic Workshop's implementation of WS-Security must be RSA keys.
WSSE Policy Files
Web service security is controlled through WSSE policy files. WSSE policy files are XML files with a .WSSE file extension.
To secure a web service with web service security, you create a WSSE policy file and associate that file with your web service. All outbound and inbound SOAP messages are processed according to the policy called for in the WSSE file. Inbound messages are first checked for the necessary security measures called for in the policy file. If the inbound message is found to be appropriately secured, then the SOAP message, cleaned of its security enhancements, is passed to the web service for normal processing. Outbound messages go through the reverse process: they are enhanced with the security measures called for in the policy file before they sent out over the wire.
To access a web service secured with WS-Security, you create a policy file and associate that file with the web service control. The policy file you associate with a web service's control should match the policy file of the target web service. If the target web service requires encrypted incoming messages, then a control file targeting that web service should encrypt messages before they are sent to the web service.
For detailed information see Using WSSE Policy Files.