Skip Headers
Oracle® Fusion Middleware Security and Administrator's Guide for Web Services
11g Release 1 (11.1.1)

Part Number B32511-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

D Schema Reference for Predefined Assertions

This appendix provides the XML schema for reference when creating a WS-Policy file that contains Web service assertions. Sections include:

Graphical Representation

The following graphic describes the element hierarchy of the assertions in the WS-Policy file.

Figure D-1 Element Hierarchy of an Assertion

Description of Figure D-1 follows
Description of "Figure D-1 Element Hierarchy of an Assertion"

The following sections describe each element and their subelements in detail:

Element Descriptions

The following sections describe the elements in the assertion in more detail. The main elements are described up front. The subelements are described following the main elements and are organized in alphabetical order.

wsp:Policy

Groups nested policy assertions.

Attributes

The following table summarizes the WS-Policy attributes, including the Oracle extensions.

Table D-1 Oracle Extensions to WS-Policy Attributes

Attribute Description

Name

Name of the policy.

attachTo

Policy subjects to which the policy can be attached. Valid values include:binding.client, binding.server, binding.any.

category

Category of the policy. Valid values include: security, mtom, wsrm, addressing, and management.

description

Description of the policy.

displayName

Name displayed in the user interface.

localOptimization

Flag that specifies whether local optimization is enabled. Oracle WSM supports a SOA local optimization feature for composite-to-composite invocations in which the reference of one composite specifies a Web service binding to a second composite. Valid values include:

  • On—Local optimization is enabled

  • Off—Local optimization is turned off. The request goes through the usual WS/SOAP/HTTP process

  • Check Identity—Optimize only if a JAAS subject already exists in the current thread, indicating that authentication has already succeeded. Otherwise, go through the usual WS/SOAP/HTTP process.

status

Status of the policy reference. Valid values include: enabled and disabled.

smartDigest

Smart Digest.

oraSmartDigest

Smart Digest.

subjectCount

Number of subjects to which the policy is attached currently.

versionCreator

Author of the current version.

versionNumber

Number of the current version.

versionTime

Time the current version was creatd.

id

Policy ID.


Example

<wsp:Policy 
 xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
 xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" 
 xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy" 
 xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" 
 xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
 Name="oracle/wss11_x509_token_with_message_protection_client_policy" 
 orawsp:attachTo="binding.client" 
 orawsp:category="security" 
orawsp:description="i18n:oracle.wsm.resources.policydescription.PolicyDescription
Bundle_oracle/wss11_x509_token_with_message_protection_client_policy_PolyDescKey" 
orawsp:displayName="i18n:oracle.wsm.resources.policydescription.PolicyDescription
Bundle_oracle/wss11_x509_token_with_message_protection_client_policy_PolyDispNameKey"
 orawsp:local-optimization="check-identity" 
 orawsp:oraSmartDigest="935231872" 
 orawsp:smartDigest="201244603" 
 orawsp:status="enabled" 
 orawsp:versionCreator="mdsInternal" 
 orawsp:versionNumber="1" 
 orawsp:versionTime="1238006529607" 
 wsu:Id="wss11_x509_token_with_message_protection_client_policy">
...
</wsp:Policy>

wsp:ExactlyOne

Optional element that defines an OR group. For more information about OR groups, see "Defining Multiple Policy Alternatives (OR Groups)".

Attributes

The following table summarizes the attribute of the <wsp:ExactlyOne> element.

Table D-2 Attribute of <wsp:ExactlyOne> Element

Attribute Description

Name

Set to OR to indicate that this is an OR group.


Example

<wsp:ExactlyOne orawsp:name="Or">
<orasp:wss11-saml-with-certificates orawsp:Enforced="true" orawsp:Silent="false"
   orawsp:category="security/msg-protection, security/authentication"
   orawsp:name="WS-Security 1.1 Saml  with certificates">
<orasp:saml-token orasp:confirmation-type="sender-vouches"
   orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/>
<orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false"
   orasp:is-signed="true" orasp:sign-key-ref-mech="direct"/>
<orasp:msg-security orasp:algorithm-suite="Basic128"
   orasp:confirm-signature="true" orasp:encrypt-signature="false"
   orasp:include-timestamp="true" orasp:sign-then-encrypt="true"
   orasp:use-derived-keys="false">
...
<orasp:wss11-username-with-certificates orawsp:Enforced="true"
   orawsp:Silent="false" orawsp:category="security/authentication, 
   security/msg-protection" 
   orawsp:name="WS-Security 1.1 username with certificates">
<orasp:username-token orasp:add-created="false" orasp:add-nonce="false" 
   orasp:is-encrypted="true" orasp:is-signed="true" 
   orasp:password-type="plaintext"/>
<orasp:x509-token orasp:enc-key-ref-mech="thumbprint" 
   orasp:is-encrypted="false" orasp:is-signed="true" 
   orasp:sign-key-ref-mech="thumbprint"/>
<orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:confirm-signature="true" orasp:encrypt-signature="false" 
   orasp:include-timestamp="true" orasp:sign-then-encrypt="true" 
   orasp:use-derived-keys="false">
...
</wsp:ExactlyOne>

orasp:Assertion

Main element of the assertion. Valid assertion elements include:

Attributes

The following table summarizes the attributes of the <orasp:Assertion> element.

Table D-3 Attributes of <orasp:Assertion> Element

Attribute Description

Optional

Flag that specifies whether the assertion is optional or required.

Silent

Flag that specifies whether the assertion is advertised. If set to true, the assertion is not advertised.

Enforced

Flag that specifies whether the assertion is currently enabled. Valid values are true or false.

name

Name of the assertion.

description

Description of the assertion.

category

Category to which the assertion applies. Valid values include: security/authentication, security/msg-protection, security/authorization, security/logging, mtom, wsrm, addressing, and management.


Example

<orasp:wss11-mutual-auth-with-certificates orawsp:Enforced="true"
  orawsp:Silent="false" orawsp:category="security/authentication,
  security/msg-protection" 
  orawsp:name="WS-Security 1.1 Mutual Auth with certificates">
...
</orasp:wss11-mutual-auth-with-certificates>

orawsp:bindings

The <oraswsp:bindings> element defines the bindings in the assertion. This element contains the following subelement:

Example

<orawsp:bindings>
  <orawsp:Config orawsp:configType="declarative" 
   orawsp:name="Wss11SamlWithCertsConfig">
    <orawsp:PropertySet orawsp:name="standard-security-properties">
      <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
       orawsp:type="string">
        <orawsp:Value>ultimateReceiver</orawsp:Value>
      </orawsp:Property>
    </orawsp:PropertySet>
  </orawsp:Config>
 </orawsp:bindings>

orawsp:Config

The <oraswsp:Config> element defines the configuration for the assertion. This element can contain the following subelement:

Attributes

The following table summarizes the attributes of the <orawsp:Config> element.

Table D-4 Attributes of <orawsp:Config> Element

Attribute Description

name

Name of the configuration.

type

Category to which the configuration applies.

configType

Configuration type. Valid values include: declarative and programmatic.

  • declarative—Use deployment descriptors and configuration files to describe authentication and authorization requirements.

  • programmatic—Embed security enforcement within the application.


Example

<orawsp:Config orawsp:configType="declarative" 
 orawsp:name="Wss11SamlWithCertsConfig">
  <orawsp:PropertySet orawsp:name="standard-security-properties">
    <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
     orawsp:type="string">
      <orawsp:Value>ultimateReceiver</orawsp:Value>
    </orawsp:Property>
  </orawsp:PropertySet>
</orawsp:Config>

orawsp:PropertySet

The <oraswsp:PropertySet> element groups nested properties. This element contains the following subelement:

Attributes

The following table summarizes the attributes of the <orawsp:PropertySet> element.

Table D-5 Attributes of <orawsp:PropertySet> Element

Attribute Description

name

Name of the property set.


Example

<orawsp:PropertySet orawsp:name="standard-security-properties">
    <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
     orawsp:type="string">
      <orawsp:Value>ultimateReceiver</orawsp:Value>
    </orawsp:Property>
  </orawsp:PropertySet>

orawsp:Property

The <oraswsp:Property> element defines a single property. The following summarize valid properties used by the predefined assertions.

The <orawsp:Property> element can contain the following subelements:

Attributes

The following table summarizes the attributes of the <orawsp:Property> element.

Table D-6 Attributes of <orawsp:Property> Element

Attribute Description

name

Name of the property. See Table D-7 for a list of property values used by the predefined assertions.

type

Type of the property. For example, string.

contentType

Specifies whether the property is required and can be overridden. Valid values include:

  • constant—Property is a constant value and cannot be overridden.

  • required—Property is required and can be overridden.

  • optional—Property is optional and can be overridden.

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".


The following table summarizes the properties used by the predefined assertions.

Table D-7 Properties Used by the Predefined Assertions

Property Description

action

Action or Web service operation for which authorization checks are performed. This value can be a comma-separated list of values. This field accepts wildcards. For example, validate,amountAvailable.

attesting.mapping.attribute

The mapping attribute used to represent the attesting entity. Only the DN is currently supported. This attribute is applicable only to sender vouches and then only to message protection use cases. It is not applicable to SAML over SSL policies.

BaseRetransmissionInterval

Interval, in milliseconds, that the source endpoint waits after transmitting a message and before it retransmits the message.

If the source endpoint does not receive an acknowledgement for a given message within the interval specified by this element, the source endpoint retransmits the message. The source endpoint can modify this retransmission interval at any point during the lifetime of the sequence of messages. This assertion does not alter the formulation of messages as transmitted, only the timing of their transmission.

This value defaults to 3000.

csf-key

Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. The default value is basic.credentials.

DeliveryAssurance

Delivery assurance. Valid values include:

  • InOrder—Messages are delivered in the order they were sent. This is the default.

  • AtLeastOnce—Every message is delivered at least once. It is possible that some messages are delivered more than once.

  • AtLeastOnceInOrder—Every message is delivered at least once and in the order they were sent. It is possible that some messages are delivered more than once.

  • ExactlyOnce—Every message is delivered exactly once, without duplication.

  • ExactlyOnceInOrder—Every message is delivered exactly once, without duplication, and in the order they were sent.

  • AtMostOnce—Messages are delivered at most once, without duplication. It is possible that some messages may not be delivered at all.

  • AtMostOnceInOrder—Messages are delivered at most once, without duplication and in the order received. It is possible that some messages may not be delivered at all.

jdbc-connection-name

JNDI reference to a JDBC data store. Valid when the StoreType is set to JDBC. This value defaults to jdbc/MessagesStore.

InactivityTimeout

Period of inactivity (in milliseconds) for a sequence of messages. A sequence of messages is defined as a set of messages, identified by a unique sequence number, for which a particular delivery assurance applies; typically a sequence originates from a single source endpoint. If, during the duration specified by this element, a destination endpoint has received no messages from the source endpoint, the destination endpoint may consider the sequence to have been terminated due to inactivity. The same applies to the source endpoint.

This value defaults to 600000.

keystore.enc.csf.key

If you set this value you then can override keystore.enc.csf.key, as described in "Attaching Web Service Policies Permitting Overrides".

keystore.recipient.alias

Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Can be superseded by "Using Service Identity Certification Extension".

on.behalf.of

Override this property to indicate whether the request is on behalf of an another entity. The default value for this flag is false.

permission-class

Class used for the permission-based checking. For example, oracle.wsm.security.WSFuncPermission.

realm

HTTP realm. This value defaults to owsm.

resource

Name of the resource for which authorization checks are performed. This field accepts wildcards. For example, if the namespace of the Web service is http://project11 and the service name is CreditValidation, the resource name is http://project11/CreditValidation.

role

SOAP role. This value defaults to ultimateReceiver.

saml.assertion.filename

File containing SAML assertions. This value defaults to temp.

saml.audience.uri

Represents the relying party, as a comma-separated URI. This field accepts wildcards.

saml.issuer.name

Name of the issuer of the SAML token. This value defaults to www.oracle.com.

saml.trusted.issuers

A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level.

service.principal.name

Kerberos principal name that identifies the service.

StoreName

Name of the message store. This value defaults to oracle.

StoreType

Type of message store. Valid values include:

  • InMemory—Messages are stored in memory. This is the default.

  • JDBC—Messages are stored using JDBC.

sts.auth.caller.principal.name

Client's principal name as generated using the ktpass command and mapped to the username for which the kerberos token should be generated. It is of the format <username>@<REALM NAME>.

sts.auth.keytab.location

Location of the client's keytab file.

sts.auth.on.behalf.of.csf.key

Use to configure "on behalf of" entity. If present, it will be given preference over Subject (if it exists).

sts.auth.service.principal.name

Principal name for the Web service that needs to be protected. It is of the format <host>/<machine name>@<REALM NAME>. For example, HTTP/mymachine@MYREALM.COM.

sts.auth.user.csf.key

Use to configure username/password to authenticate to the STS.

If policy-reference-uri in the client "oracle/sts_trust_config_client_template" points to a username-based policy, then you configure the sts.auth.user.csf.key property to specify a username/password to authenticate to the STS.

sts.auth.x509.csf.key

Use to configure X509 certificate for authenticating to the STS.

If policy-reference-uri in the client "oracle/sts_trust_config_client_template" points to an x509-based policy, then you configure the sts.auth.x509.csf.key property to specify the X509 certificate for authenticating to the STS.

sts.keystore.recipient.alias

The alias of the STS certificate you added to the keystore. The default alias name is sts-csf-key.

subject.precedence

Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject.

user.attributes

Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion.

user.roles.include

SOAP roles to be included. This value defaults to false.


Example

<orawsp:PropertySet orawsp:name="standard-security-properties">
  <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
   orawsp:type="string">
    <orawsp:Value>ultimateReceiver</orawsp:Value>
  </orawsp:Property>
</orawsp:PropertySet>

orawsp:Description

The <oraswsp:Description> element provides a description of the property.

Example

<orawsp:Description>My description.</orawsp:Description>

orawsp:Value

The <oraswsp:Value> element provides a list of valid values for the property.

Example

<orawsp:Value>ultimateReceiver</orawsp:Value>

orawsp:guard

The <orawsp:guard> element defines the resource, action, and constraint match values.

Examples

<orawsp:guard>
  <orawsp:resource-match>
    http://project11/CreditValidation
  </orawsp:resource-match>
  <orawsp:action-match>validate,amountAvailable</orawsp:action-match>
</orawsp:guard>
<orawsp:guard>
  <orawsp:resource-match>*</orawsp:resource-match>
  <orawsp:action-match>validate,amountAvailable</orawsp:action-match>
</orawsp:guard>

<orawsp:guard>
  <orawsp:constraint-match>${!(messageContext.authenticationMethod =='SAML_SV'
    || messageContext.requestOrigin == 'internal')}
  </orawsp:constraint-match>
</orawsp:guard>

orawsp:resource-match

The <orawsp:resource-match> element specifies the name of the resource for which authorization checks are performed. This field accepts wildcards.

For example, if the namespace of the Web service is http://project11 and the service name is CreditValidation, the resource name is http://project11/CreditValidation.

Examples

<orawsp:guard>
  <orawsp:resource-match>
    http://project11/CreditValidation
  </orawsp:resource-match>
  <orawsp:action-match>validate,amountAvailable</orawsp:action-match>
</orawsp:guard>
<orawsp:guard>
  <orawsp:resource-match>*</orawsp:resource-match>
  <orawsp:action-match>validate,amountAvailable</orawsp:action-match>
</orawsp:guard>

orawsp:action-match

The <orawsp:resource-match> element specifies the action or Web service operation for which authorization checks are performed. This value can be a comma-separated list of values. This field accepts wildcards.

Examples

<orawsp:guard>
  <orawsp:resource-match>
    http://project11/CreditValidation
  </orawsp:resource-match>
  <orawsp:action-match>validate,amountAvailable</orawsp:action-match>
</orawsp:guard>
<orawsp:guard>
  <orawsp:resource-match>*</orawsp:resource-match>
  <orawsp:action-match>validate,amountAvailable</orawsp:action-match>
</orawsp:guard>

orawsp:constraint-match

The <orawsp:constraint-match> element specifies the constraints against which authorization checks are performed. The value is an expression specified using the following two messageContext properties:

  • messageContext.authenticationMethod—Determines the authentication method used to authenticate the user. Valid value is SAML_SV.

  • messageContext.requestOrigin—Determines whether the request originated from an internal or external network. This property is valid only when using Oracle HTTP Server and the Oracle HTTP server administrator has added a custom VIRTUAL_HOST_TYPE header to the request.

    The properties and their values are case sensitive. The constraint expression uses the following standard supported operators: ==, !=, &&, || and !.

    Note:

    This element is supported with the binding-authorization element only. For other authorization assertion elements, this field is reserved for future use.

Example

<orawsp:guard>
<orawsp:constraint-match>${!(messageContext.authenticationMethod =='SAML_SV' ||
   messageContext.requestOrigin == 'internal')} 
         </orawsp:constraint-match>
</orawsp:guard>

oralgp:Logging

The <orasp:Logging> element defines the logging policy.

The <orasp:Logging> element contains the following subelements:

Example

<oralgp:Logging orawsp:Enforced="false" orawsp:Silent="true"
 orawsp:category="security/logging" orawsp:name="Log Message1">
  <oralgp:msg-log>
    <oralgp:request>all</oralgp:request>
    <oralgp:response>all</oralgp:response>
    <oralgp:fault>all</oralgp:fault>
  </oralgp:msg-log>
  <orawsp:bindings>
    <orawsp:Config orawsp:name="added-from-em"/>
  </orawsp:bindings>
</oralgp:Logging>

orasp:binding-authorization

The <orasp:binding-authorization> element defines a simple role-based authorization for the request based on the authenticated subject at the SOAP binding level.

The <orasp:binding-authorization> element contains the following subelements:

It also contains one of the following subelements:

Example

<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true" 
 orawsp:category="security/authorization" 
 orawsp:name="J2EE services Authorization">
  <orasp:denyAll/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/>
  </orawsp:bindings>
  <orawsp:guard/>
</orasp:binding-authorization>

orasp:binding-permission-authorization

The <orasp:binding-permission-authorization> element defines simple permission-based authorization for the request based on the authenticated subject at the SOAP binding level.

The <orasp:binding-permission-authorization> element contains the following subelements:

Example

<orasp:binding-permission-authorization orawsp:Enforced="true"
 orawsp:Silent="true" orawsp:category="security/authorization" 
 orawsp:name="J2EE Permission Based Authorization">
  <orasp:check-permission/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="BindingPermissionAuthzConfig">
      <orawsp:PropertySet orawsp:name="perms-authz-properties">
        <orawsp:Property orawsp:contentType="optional" orawsp:name="resource" 
         orawsp:type="string">
          <orawsp:DefaultValue>*</orawsp:DefaultValue>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" orawsp:name="action" 
         orawsp:type="string">
          <orawsp:DefaultValue>*</orawsp:DefaultValue>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="permission-class" orawsp:type="string">
          <orawsp:DefaultValue>oracle.wsm.security.WSFunctionPermission
          </orawsp:DefaultValue>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
  <orawsp:guard>
    <orawsp:resource-match>*</orawsp:resource-match>
    <orawsp:action-match>*</orawsp:action-match>
  </orawsp:guard>
 </orasp:binding-permission-authorization>

orasp:coreid-security

The <orasp:coreid-security> element uses the credentials in the WS-Security header's binary security token to authenticate users against the Oracle Access Manager identity store.

It contains the following subelements:

Example

<orasp:coreid-security orawsp:Enforced="true" orawsp:Silent="true" 
 orawsp:category="security/authentication, security/authorization" 
 orawsp:name="OAM Security">
  <orasp:coreid-token orasp:is-encrypted="false" orasp:is-signed="false"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" orawsp:name="CoreIdConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
       </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:coreid-security>

orasp:http-security

The <orasp:http-security> element uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store.

It contains the following subelements:

Example

<orasp:http-security orawsp:Enforced="true" orawsp:Silent="true" 
 orawsp:category="security/authentication, security/msg-protection" 
 orawsp:name="Http over SSL Security">
  <orasp:auth-header orasp:mechanism="basic"/>
  <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" orawsp:name="HttpConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="realm" 
         orawsp:type="string">
          <orawsp:Value>owsm</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:http-security>

orasp:kerberos-security

The <orasp:kerberos-security> element enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

It contains the following subelements:

Example

<orasp:kerberos-security orawsp:Enforced="true" orawsp:Silent="false"
 orawsp:category="security/authentication" orawsp:name="WSS Kerberos Token">
  <orasp:kerberos-token orasp:is-encrypted="false" orasp:is-signed="false" 
   orasp:type="gss-apreq-v5"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="KerberosSecurityConfig"/>
  </orawsp:bindings>
</orasp:kerberos-security>

orasp:sca-component-authorization

The <orasp:sca-component-authorization> element defines simple role-based authorization for the request based on the authenticated subject at the SOA component level.

The <orasp:sca-component-authorization> element contains the following subelement:

It also contains one of the following subelements:

Example

<orasp:sca-component-authorization orawsp:Enforced="true" orawsp:Silent="true"
 orawsp:category="security/authorization" orawsp:name="Fabric Component 
 Authorization">
  <orasp:denyAll/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative"  
     orawsp:name="FabricAuthzConfig"/>
  </orawsp:bindings>
 </orasp:sca-component-authorization>

orasp:sca-component-permission-authorization

The <orasp:sca-component-permission-authorization> element provides simple permission-based authorization for the request based on the authenticated subject at the SOA component level.

The <orasp:binding-permission-authorization> element contains the following subelements:

Example

<orasp:sca-component-permission-authorization orawsp:Enforced="true"
 orawsp:Silent="true" orawsp:category="security/authorization" 
 orawsp:name="Fabric Component Authorization">
  <orasp:check-permission/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="FabricAuthzConfig">
      <orawsp:PropertySet orawsp:name="perms-authz-properties">
        <orawsp:Property orawsp:contentType="optional" orawsp:name="resource" 
         orawsp:type="string">
          <orawsp:DefaultValue>*</orawsp:DefaultValue>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" orawsp:name="action" 
         orawsp:type="string">
         <orawsp:DefaultValue>*</orawsp:DefaultValue>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="permission-class" orawsp:type="string">
          <orawsp:DefaultValue>
         oracle.wsm.security.WSFunctionPermission</orawsp:DefaultValue>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
  <orawsp:guard>
    <orawsp:resource-match>*</orawsp:resource-match>
    <orawsp:action-match>*</orawsp:action-match>
  </orawsp:guard>
</orasp:sca-component-permission-authorization>

orasp:wss10-anonymous-with-certificates

The <orasp:wss10-anonymous-with-certificates> element provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

It contains the following subelements:

Example

<orasp:wss10-anonymous-with-certificates orawsp:Enforced="true"
 orawsp:Silent="false" orawsp:category="security/msg-protection" 
orawsp:name="WS-Security 1.0 Anonymous with certificates">
  <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" 
   orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" 
   orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:response>
    <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss10AnonWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss10-anonymous-with-certificates>

orasp:wss10-mutual-auth-with-certificates

The <orasp:wss10-mutual-auth-with-certificates> element enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

It contains the following subelements:

Example

<orasp:wss10-mutual-auth-with-certificates orawsp:Enforced="true" 
 orawsp:Silent="false" orawsp:category="security/authentication, 
 security/msg-protection" orawsp:name="WS-Security 1.0 Mutual Auth with 
 certificates">
  <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" 
   orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" 
   orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:response>
    <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss10AnonWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss10-mutual-auth-with-certificates>

orasp:wss10-saml-hok-with-certificates

The <orasp:wss1-saml-hok-with-certificates> element provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

It contains the following subelements:

Example

<orasp:wss10-saml-hok-with-certificates orawsp:Enforced="true" 
 orawsp:Silent="false" orawsp:category="security/authentication, 
 security/msg-protection" orawsp:name="WS-Security 1.0 SAML Holder Of Key
 with certificates">
  <orasp:saml-token orasp:confirmation-type="holder-of-key" 
   orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/>
  <orasp:x509-token orasp:enc-key-ref-mech="direct" 
   orasp:is-encrypted="false" orasp:is-signed="true" 
   orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" 
   orasp:sign-key-ref-mech="ski"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128"     
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
        <orasp:encrypted-parts>
          <orasp:body/>
        </orasp:encrypted-parts>
    </orasp:response>
    <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss10SamlHOKWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:name="keystore.recipient.alias" 
         orawsp:type="string">
          <orawsp:Value>orakey</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="saml.issuer.name" orawsp:type="string">
          <orawsp:Value>www.oracle.com</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="user.roles.include" orawsp:type="string">
          <orawsp:Value>false</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
          orawsp:name="saml.assertion.filename" orawsp:type="string">
          <orawsp:Value>temp</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss10-saml-hok-with-certificates>

orasp:wss10-saml-token

The <orasp:wss10-saml-token> element authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.

It contains the following subelements:

Example

<orasp:wss10-saml-token orawsp:Enforced="true" orawsp:Silent="false"
 orawsp:category="security/authentication" orawsp:name="WSSecurity SAML Token">
  <orasp:saml-token orasp:confirmation-type="sender-vouches" 
   orasp:is-encrypted="false" orasp:is-signed="false" orasp:version="1.1"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="WssSamlTokenConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
           orawsp:type="string">
            <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss10-saml-token>

orasp:wss10-saml-with-certificates

The <orasp:wss10-saml-with-certificates> element enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

It contains the following subelements:

Example

<orasp:wss10-saml-with-certificates orawsp:Enforced="true" 
 orawsp:Silent="false" orawsp:category="security/authentication, 
 security/msg-protection" orawsp:name="WS-Security 1.0 SAML with certificates">
  <orasp:saml-token orasp:confirmation-type="sender-vouches" 
   orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/>
  <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" 
   orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" 
   orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:response>
    <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss10SamlWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss10-saml-with-certificates>

orasp:wss10-username-with-certificates

The <orasp:wss10-username-with-certificates> element enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

It contains the following subelements:

Example

<orasp:wss10-username-with-certificates orawsp:Enforced="true"
 orawsp:Silent="false" 
 orawsp:category="security/authentication, security/msg-protection" 
 orawsp:name="WS-Security 1.0 username with certificates">
  <orasp:username-token orasp:add-created="false" orasp:add-nonce="false" 
   orasp:is-encrypted="true" orasp:is-signed="true" 
   orasp:password-type="plaintext"/>
  <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" 
   orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" 
   orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
   </orasp:response>
   <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss10UsernameWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss10-username-with-certificates>

orasp:wss11-anonymous-with-certificates

The <orasp:wss11-anonymous-with-certificates> element provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

It contains the following subelements:

Example

<orasp:wss11-anonymous-with-certificates orawsp:Enforced="true"
 orawsp:Silent="false" orawsp:category="security/msg-protection" 
 orawsp:name="WS-Security 1.0 Anonymous with certificates">
  <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" 
   orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" 
   orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:response>
    <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss11AnonWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss11-anonymous-with-certificates>

orasp:wss11-mutual-auth-with-certificates

The <orasp:wss11-mutual-auth-with-certificates> element enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

It contains the following subelements:

Example

<orasp:wss11-mutual-auth-with-certificates orawsp:Enforced="true"
  orawsp:Silent="false" orawsp:category="security/authentication,
  security/msg-protection" 
  orawsp:name="WS-Security 1.1 Mutual Auth with certificates">
  <orasp:x509-token orasp:enc-key-ref-mech="thumbprint" 
   orasp:is-encrypted="false" orasp:is-signed="true" 
   orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128"
   orasp:confirm-signature="false" orasp:encrypt-signature="false" 
   orasp:include-timestamp="true" orasp:sign-then-encrypt="true" 
   orasp:use-derived-keys="false">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:response>
    <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss10AnonWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:name="keystore.recipient.alias" 
         orawsp:type="string">
           <orawsp:Value>orakey</orawsp:Value>
        </orawsp:Property>
     </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss11-mutual-auth-with-certificates>

orasp:wss11-saml-with-certificates

The <orasp:wss11-saml-with-certificates> element enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

It contains the following subelements:

Example

<orasp:wss11-saml-with-certificates orawsp:Enforced="true" 
 orawsp:Silent="false" orawsp:category="security/authentication, 
 security/msg-protection" orawsp:name="WS-Security 1.1 SAML with certificates">
  <orasp:saml-token orasp:confirmation-type="sender-vouches" 
   orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/>
  <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" 
   orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" 
   orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:response>
    <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss11SamlWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss11-saml-with-certificates>

orasp:wss11-username-with-certificates

The <orasp:wss11-username-with-certificates> element enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

It contains the following subelements:

Example

<orasp:wss11-username-with-certificates orawsp:Enforced="true"
 orawsp:Silent="false" 
 orawsp:category="security/authentication, security/msg-protection" 
 orawsp:name="WS-Security 1.1 username with certificates">
  <orasp:username-token orasp:add-created="false" orasp:add-nonce="false" 
   orasp:is-encrypted="true" orasp:is-signed="true" 
   orasp:password-type="plaintext"/>
  <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" 
   orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" 
   orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
   </orasp:response>
   <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss11UsernameWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss11-username-with-certificates>

orasp:wss-saml-token-bearer-over-ssl

The <orasp:wss-saml-token-bearer-over-ssl> element authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.

It contains the following subelements:

Example

<orasp:wss-saml-token-bearer-over-ssl orawsp:Enforced="true"
 orawsp:Silent="false" 
 orawsp:category="security/authentication, security/msg-protection" 
 orawsp:name="WSSecurity Saml Token With Confirmation method Bearer Over SSL ">
  <orasp:saml-token orasp:confirmation-type="bearer" orasp:is-encrypted="false" 
   orasp:is-signed="false" orasp:version="1.1"/>
  <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="WssSamlTokenBearerOverSSLConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="saml.issuer.name" orawsp:type="string">
          <orawsp:Value>www.oracle.com</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="user.roles.include" orawsp:type="string">
          <orawsp:Value>false</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss-saml-token-bearer-over-ssl>

orasp:wss-saml-token-over-ssl

The <orasp:wss-saml-token-over-ssl> element enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

It contains the following subelements:

Example

<orasp:wss-saml-token-over-ssl orawsp:Enforced="true" orawsp:Silent="false" 
 orawsp:category="security/authentication, security/msg-protection" 
 orawsp:name="WSSecurity SAML Token Over SSL">
  <orasp:saml-token orasp:confirmation-type="sender-vouches" 
   orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/>
  <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="true"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="WssSamlTokenOverSSLConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="saml.issuer.name" orawsp:type="string">
          <orawsp:Value>www.oracle.com</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="user.roles.include" orawsp:type="string">
          <orawsp:Value>false</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss-saml-token-over-ssl>

orasp:wss-username-token

The <orasp:wss-username-token> element enforces authentication with username and password credentials in the WS-Security UsernameToken SOAP header.

It contains the following subelements:

Example

<orasp:wss-username-token orawsp:Enforced="true" orawsp:Silent="false"
 orawsp:category="security/authentication"
 orawsp:name="WSSecurity UserName Token">
  <orasp:username-token orasp:add-created="false" orasp:add-nonce="false" 
   orasp:is-encrypted="true" orasp:is-signed="true" 
   orasp:password-type="plaintext"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="WssUsernameTokenConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss-username-token>

orasp:wss-username-token-over-ssl

The <orasp:wss-username-token-over-ssl> element uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the Oracle Platform Security Services configured identity store.

It contains the following subelements:

Example

<orasp:wss-username-token-over-ssl orawsp:Enforced="true" orawsp:Silent="false"
 orawsp:category="security/authentication, security/msg-protection" 
 orawsp:name="WSSecurity UserName Token Over SSL">
  <orasp:username-token orasp:add-created="true" orasp:add-nonce="true" 
   orasp:is-encrypted="true" orasp:is-signed="true" 
   orasp:password-type="plaintext"/>
  <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="WssUsernameTokenOverSSLConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss-username-token-over-ssl>

rm:RMAssertion

The <rm:RMAssertion> element provides support for version 1.0 and version 1.1 of the Web Services Reliable Messaging protocol. The version supported depends on the XML schema namespace value used:

  • WS-ReliableMessaging 1.1: http://docs.oasis-open.org/ws-rx/wsrmp/200702

  • WS-ReliableMessaging 1.0: http://schemas.xmlsoap.org/ws/2005/02/rm/policy

This policy can be attached to any SOAP-based client or endpoint. Full support for this feature may require additional programming.

The <rm:RMAssertion> element contains the following subelement:

Example

<rm:RMAssertion xmlns:rm="http://schemas.xmlsoap.org/ws/2005/02/rm/policy" 
  orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="wsrm" 
orawsp:description="i18n:oracle.wsm.resources.policydescription.PolicyDescriptionBundle_oracle/wsrm10_policy_RMAssertion_AssertionDescKey" 
 orawsp:name="RM 1.0">
  <wsp:Policy/>
  <orawsp:bindings>
    <orawsp:Config orawsp:name="RMConfig">
      <orawsp:PropertySet orawsp:name="standard-wsrm-properties">
        <orawsp:Property orawsp:name="DeliveryAssurance" orawsp:type="string">
          <orawsp:Description>Delivery Assurance. Possible values 
           (case-insensitive) are InOrder,  AtLeastOnce, AtLeastOnceInOrder, 
           ExactlyOnce, ExactlyOnceInOrder, AtMostOnce, 
           AtMostOnceInOrder.</orawsp:Description>
          <orawsp:Value>inorder</orawsp:Value>
          <orawsp:DefaultValue>inorder</orawsp:DefaultValue>
        </orawsp:Property>
        <orawsp:Property orawsp:name="StoreType" orawsp:type="string">
          <orawsp:Description>The type of message store used. Possible values 
           (case-insensitive) areInMemory, JDBC.</orawsp:Description>
          <orawsp:Value>inmemory</orawsp:Value>
          <orawsp:DefaultValue>inmemory</orawsp:DefaultValue>
        </orawsp:Property>
        <orawsp:Property orawsp:name="StoreName" orawsp:type="string">
          <orawsp:Description>The name of the message store.
          </orawsp:Description>
          <orawsp:Value>oracle</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="jdbc-connection-name" orawsp:type="string">
          <orawsp:Description>The JNDI reference to a JDBC data source, when 
           the store type is JDBC.</orawsp:Description>
          <orawsp:Value>jdbc/MessagesStore</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:name="InactivityTimeout" orawsp:type="int">
          <orawsp:Description>The inactivity timeout duration, specified in 
           milliseconds.</orawsp:Description>
          <orawsp:Value>600000</orawsp:Value>
         </orawsp:Property>
         <orawsp:Property orawsp:name="BaseRetransmissionInterval" 
          orawsp:type="int">
           <orawsp:Description>The base retransmission interval, specified in 
            milliseconds.</orawsp:Description>
           <orawsp:Value>3000</orawsp:Value>
         </orawsp:Property>
       </orawsp:PropertySet>
     </orawsp:Config>
  </orawsp:bindings>
</rm:RMAssertion>

wsaw:UsingAddressing

The <wsaw:UsingAddressing> element causes the platform to check inbound messages for the presence of WS-Addressing headers conforming to the W3C 2005 Final WS-Addressing Policy standard. In addition, it causes the platform to include a WS-Addressing header in outbound SOAP messages.

The <wsaw:UsingAddressing> element contains the following subelement:

Example

<wsaw:UsingAddressing xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" 
 orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="addressing" 
 orawsp:name="WS-Addressing 2005">
  <orawsp:bindings>
    <orawsp:Config orawsp:name="added-from-em"/>
  </orawsp:bindings>
</wsaw:UsingAddressing>

wsoma:OptimizedMimeSerialization

The <wsoma:OptimizedMimeSerialization> element rejects inbound messages that are not in MTOM format and verifies that outbound messages are in MTOM format. MTOM refers to specifications http://www.w3.org/TR/2005/REC-soap12-mtom-20050125 and http://www.w3.org/Submission/2006/SUBM-soap11mtom10-20060405 for SOAP 1.2 and SOAP 1.1 bindings, respectively.

The <wsoma:OptimizedMimeSerialization> element contains the following subelement:

Example

<wsoma:OptimizedMimeSerialization 
 xmlns:wsoma=
 "http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization" 
 orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="mtom" 
 orawsp:name="MTOM">
  <orawsp:bindings>
    <orawsp:Config orawsp:name="added-from-em"/>
  </orawsp:bindings>
</wsoma:OptimizedMimeSerialization>

oralgp:fault

The <oralgp:fault> element configures logging for the fault message. Valid values include:

  • all—Log the entire SOAP message.

  • header—Log SOAP header information only.

  • soap_body—Log SOAP body information only.

  • soap_envelope—Log SOAP envelope information only.

Example

<oralgp:msg-log>
  <oralgp:request>all</oralgp:request>
  <oralgp:response>all</oralgp:response>
  <oralgp:fault>all</oralgp:fault>
</oralgp:msg-log>

oralgp:request

The <oralgp:request> element configures logging for the request message. Valid values include:

  • all—Log the entire SOAP message.

  • header—Log SOAP header information only.

  • soap_body—Log SOAP body information only.

  • soap_envelope—Log SOAP envelope information only.

Example

<oralgp:msg-log>
  <oralgp:request>all</oralgp:request>
  <oralgp:response>all</oralgp:response>
  <oralgp:fault>all</oralgp:fault>
</oralgp:msg-log>

oralgp:response

The <oralgp:response> element configures logging for the response message. Valid values include:

  • all—Log the entire SOAP message.

  • header—Log SOAP header information only.

  • soap_body—Log SOAP body information only.

  • soap_envelope—Log SOAP envelope information only.

Example

<oralgp:msg-log>
  <oralgp:request>all</oralgp:request>
  <oralgp:response>all</oralgp:response>
  <oralgp:fault>all</oralgp:fault>
</oralgp:msg-log>

oralgp:msg-log

The <oralgp:msg-log> element configures logging for the request, response, and fault messages. The <oralgp:msg-log> element contains the following subelements:

Example

<oralgp:msg-log>
  <oralgp:request>all</oralgp:request>
  <oralgp:response>all</oralgp:response>
  <oralgp:fault>all</oralgp:fault>
</oralgp:msg-log>

orasp:attachment

The <orasp:attachment> element defines the attachment information.

Attributes

The following table summarizes the attributes of the <orasp:attachment> element.

Table D-8 Attributes of <orasp:attachment> Element

Attribute Description

include-mime-headers

Flag that specifies whether or include MIME headers. Valid values include true or false.


Example

<orasp:signed-parts>
  <orasp:header orasp:name="From" 
    orasp:namespace="http://www.w3.org/2005/08/addressing"/>
   <orasp:attachment orasp:include-mime-headers="false"/>
</orasp:signed-parts>

orasp:auth-header

The <orasp:auth-header> element specifies the name of the authentication header.

Attributes

The following table summarizes the attribute of the <orasp:auth-header> element.

Table D-9 Attributes of <orasp:auth-header> Element

Attribute Description

mechanism

Authentication mechanism.

Valid values include:

  • basic—Client authenticates itself by transmitting the username and password.

  • digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.

  • cert—Client authenticates itself by transmitting a certificate.

  • custom—Custom authentication mechanism.


Examples

<orasp:auth-header orasp:mechanism="basic"/>

orasp:body

The <orasp:body> element defines the message body elements that are signed and encrypted. To include the entire body, specify the body element as follows: <orasp:body/>.

Example

<orasp:request>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:request>

orasp:check-permission

The <orasp:check-permission> element specifies that permissions are to be checked.

Example

<orasp:binding-permission-authorization orawsp:Enforced="true"
 orawsp:Silent="true" orawsp:category="security/authorization" 
 orawsp:name="J2EE Permission Based Authorization">
  <orasp:check-permission/>
  ...
</orasp:binding-permission-authorization>

orasp:coreid-token

The <orasp:coreid-token> element defines the OAM token.

Attributes

The following table summarizes the attributes of the <orasp:coreid-token> element.

Table D-10 Attributes of <orasp:coreid-token> Element

Attribute Description

is-encrypted

Flag that specifies whether the assertion is encrypted. Valid values include true or false.

is-signed

Flag that specifies whether the assertion is signed. Valid values include true or false.


Example

<orasp:coreid-token orasp:is-encrypted="false" orasp:is-signed="false"/> 

orasp:denyAll

The <orasp:denyAll> element denies all users with any roles.

Example

<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true" 
 orawsp:category="security/authorization" 
 orawsp:name="J2EE services Authorization">
  <orasp:denyAll/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/>
  </orawsp:bindings>
  <orawsp:guard/>
</orasp:binding-authorization>

orasp:element

The <orasp:element> element defines a header or body element that is signed or encrypted.

Attributes

The following table summarizes the attributes of the <orasp:element> element.

Table D-11 Attributes of <orasp:element> Element

Attribute Description

name

Name of the header or body element.

namespace

Namespace.


Example

<orasp:signed-elements>
  <orasp:element orasp:name="BodyElement" 
   orasp:namespace="http://www.w3.org/2005/08/addressing">n/a</orasp:element>
</orasp:signed-elements>

orasp:encrypted-elements

The <orassp:encrypted-elements> element defines the message body elements that are signed. This element is valid if <orasp:encrypted-parts> is not set to <orasp:body/>

The <orassp:encrypted-parts> element contains the following subelement:

Example

<orasp:encrypted-elements>
  <orasp:element orasp:name="Myhead" 
   orasp:namespace="http://www.w3.org/2005/08/addressing">n/a</orasp:element>
</orasp:encrypted-elements>

orasp:encrypted-parts

The <orasp:encrypted-parts> element defines the message parts that are encrypted.

The <orasp:encrypted-parts> element contains one or more of the following subelements:

Example

<orasp:request>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:request>

orasp:fault

The <orasp:fault> element defines the message body elements that are signed and encrypted in the fault message. The <orasp:fault> element contains the following subelements:

Example

<orasp:response>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:response>

orasp:header

The <orasp:header> element defines a header element.

Attributes

The following table summarizes the attributes of the <orasp:header> element.

Table D-12 Attributes of <orasp:header> Element

Attribute Description

name

Name of the header element. The default header elements in the predefined namespace include: To, From, FaultTo, ReplyTo, MessageID, RelatesTo, and Action.

namespace

Namespace. The predefined namespace is as follows: http://www.w3.org/2005/08/addressing.


Example

<orasp:signed-parts>
  <orasp:header orasp:name="From" 
    orasp:namespace="http://www.w3.org/2005/08/addressing"/>
   <orasp:attachment orasp:include-mime-headers="false"/>
</orasp:signed-parts>

orasp:kerberos-token

The <orasp:kerberos-token> element defines the kerberos token.

Attributes

The following table summarizes the attributes of the <orasp:kerberos-token> element.

Table D-13 Attributes of <orasp:kerberos-token> Element

Attribute Description

is-encrypted

Flag that specifies whether the assertion is encrypted. Valid values include true or false.

is-signed

Flag that specifies whether the assertion is signed. Valid values include true or false.

type

Type of Kerberos token. The only valid value is gss-apreq-v5 (Kerberos Version 5 GSS-API).


Example

<orasp:kerberos-token orasp:is-encrypted="false" orasp:is-signed="false" 
 orasp:type="gss-apreq-v5"/> 

orasp:msg-security

The <orassp:msg-security> element defines message security for the policy. You define the body elements that are signed and encrypted for the request, response, and fault.

The <orasp:msg-security> element contains the following subelements:

Attributes

The following table summarizes the attributes of the <orasp:msg-security> element.

Table D-14 Attributes of <orasp:msg-security> Element

Attribute Description

algorithm-suite

Defines the algorithm suite that is used for message protection. For example, Basic128. For more information, see "Supported Algorithm Suites".

confirm-signature

Flag that specifies whether to send a signature confirmation back to the client. Valid values inlcude true or false.

encrypt-signature

Flag that specifies whether to send a encryption confirmation back to the client. Valid values inlcude true or false.

include-timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

sign-then-encyrpt

Flag that specifies whether to sign the message before encrypting the message.

use-derived-keys

Flag that specifies whether to use derived keys.


Example

<orasp:msg-security orasp:algorithm-suite="Basic128"
orasp:confirm-signature="false" orasp:encrypt-signature="false" 
orasp:include-timestamp="true" orasp:sign-then-encrypt="true" 
orasp:use-derived-keys="false">
  <orasp:request>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:request>
  <orasp:response>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:response>
  <orasp:fault/>
</orasp:msg-security>

orasp:permitAll

The <orasp:permitAll> element permits all users with any roles.

Example

<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true" 
 orawsp:category="security/authorization" 
 orawsp:name="J2EE services Authorization">
  <orasp:permitAll/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/>
  </orawsp:bindings>
</orasp:binding-authorization>

orasp:request

The <orasp:request> element defines the message body elements that are signed and encrypted in the request message. The <orasp:request> element contains the following subelements:

Example

<orasp:request>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:request>

orasp:require-tls

The <orasp:require-tls> element specifies whether two-way authentication is required.

Attributes

The following table summarizes the attributes of the <orasp:require-tls> element.

Table D-15 Attributes of <orawsp:require-tls> Element

Attribute Description

include-timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

mutual-auth

Flag that specifies whether two-way authentication is required. Valid values include true or false.


Examples

<orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/>

orasp:response

The <orassp:response> element defines the message body elements that are signed and encrypted in the response message. The <oraswsp:response> element contains the following subelements:

Example

<orasp:response>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:response>

orasp:role

The <orasp:role> element defines the roles that are permitted access.

Attribute

The following table summarizes the attribute of the <orasp:role> element.

Table D-16 Attributes of <orasp:role> Element

Attribute Description

name

Name of the role. Valid roles include:

  • Monitor

  • AdminChannelUsers

  • Administrators

  • OracleSystemGroup

  • Operators

  • CrossDomainConnectors

  • Deployers

  • AppTesters


Example

<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true"
  orawsp:category="security/authorization" orawsp:description="" 
  orawsp:name="J2EE services Authorization">
  <orasp:role orasp:name="Monitors"/>
  <orasp:role orasp:name="AdminChannelUsers"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/>
  </orawsp:bindings>
</orasp:binding-authorization>

orasp:saml-token

The <orasp:saml-token> element configures the SAML token.

Attributes

The following table summarizes the attributes of the <orasp:saml-token> element.

Table D-17 Attributes of <orasp:saml-token> Element

Attribute Description

confirmation-type

Confirmation type. Valid values include: sender-vouches and holder-of-key.

  • sender-vouches

  • holder-of-key

  • bearer

is-encrypted

Flag that specifies whether the assertion is encrypted. Valid values include true or false.

is-signed

Flag that specifies whether the assertion is signed. Valid values include true or false.

version

SAML version. Valid values include: 1.1 and 2.0.


Example

<orasp:saml-token orasp:confirmation-type="holder-of-key" 
 orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/>

orasp:signed-elements

The <orassp:signed-elements> element defines the message body elements that are signed. This element is valid if <orasp:signed-parts> is not set to <orasp:body/>

The <orassp:signed-elements> element contains the following subelement:

Example

<orasp:signed-elements>
  <orasp:element orasp:name="Myhead" 
   orasp:namespace="http://www.w3.org/2005/08/addressing">n/a</orasp:element>
</orasp:signed-elements>

orasp:signed-parts

The <orasp:signed-parts> element defines the message parts that are signed.

The <orasp:signed-parts> element contains one or more of the following subelements:

Example

<orasp:request>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:request>

orasp:username-token

The <orasp:username-token> element configures the SAML token.

Attributes

The following table summarizes the attributes of the <orasp:username-token> element.

Table D-18 Attributes of <orasp:username-token> Element

Attribute Description

add-created

Flag that specifies whether a time stamp for the creation of the username token is required.

Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.

add-nonce

Flag that specifies whether a nonce must be included with the username to prevent replay attacks.

Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.

is-encrypted

Flag that specifies whether the username is encrypted. Valid values include true or false.

is-signed

Flag that specifies whether the username is signed. Valid values include true or false.

password-type

Type of password required.

Valid values are:

  • none—No password.

  • plaintext—Unencrypted password in clear text.

  • digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.


Example

<orasp:username-token 
  orasp:add-created="false" 
  orasp:add-nonce="false" 
  orasp:is-encrypted="true" 
  orasp:is-signed="true" 
  orasp:password-type="plaintext"/>

orasp:x509-token

The <orasp:x509-token> element defines the x.509 digital certificate.

Attributes

The following table summarizes the attributes of the <orasp:x509-token> element.

Table D-19 Attributes of <orasp:x509-token> Element

Attribute Description

sign-key-ref-mech

Mechanism used when signing the request.

Valid values include:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

  • thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead. This value is valid for Encryption Key Reference Mechanism only (described below.)

enc-key-ref-mech

Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.

rcpt-sign-key-ref-mech

Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above.

rcpt-enc-key-ref-mech

Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.

is-encrypted

Flag that specifies whether the assertion is encrypted. Valid values include true or false.

is-signed

Flag that specifies whether the assertion is signed. Valid values include true or false.


Example

<orasp:x509-token orasp:enc-key-ref-mech="thumbprint" 
 orasp:is-encrypted="false" orasp:is-signed="true" 
 orasp:sign-key-ref-mech="direct"/>

orawsp:Description

The <oraswsp:Description> element provides a description of the property.

Example

<orawsp:Description>Valid IP Values</orawsp:Description>