2 Attaching Policies to Oracle Infrastructure Web Services
This chapter describes how to attach policies to Oracle Infrastructure Web services.
What Are Policies?
Policies describe the capabilities and requirements of a Web service such as whether and how a message must be secured, whether and how a message must be delivered reliably, and so on.
Oracle Fusion Middleware 11g Release 1 (11.1.1) supports the types of policies defined in Table 2-1.
| Policy | Description |
|---|---|
|
WS-ReliableMessaging |
Reliable messaging policies that implement the WS-ReliableMessaging standard describes a wire-level protocol that allows guaranteed delivery of SOAP messages, and can maintain the order of sequence in which a set of messages are delivered. The technology can be used to ensure that messages are delivered in the correct order. If a message is delivered out of order, the receiving system can be configured to guarantee that the messages will be processed in the correct order. The system can also be configured to deliver messages at least once, not more than once, or exactly once. If a message is lost, the sending system re-transmits the message until the receiving system acknowledges it receipt. |
|
Management |
Management policies that log request, response, and fault messages to a message log. Management policies may include custom policies. |
|
WS-Addressing |
WS-Addressing policies that verify that SOAP messages include WS-Addressing headers in conformance with the WS-Addressing specification. Transport-level data is included in the XML message rather than relying on the network-level transport to convey this information. |
|
Security |
Security policies that implement the WS-Security 1.0 and 1.1 standards. They enforce message protection (message integrity and message confidentiality), and authentication and authorization of Web service requesters and providers. The following token profiles are supported: username token, X.509 certificate, Kerberos ticket, and Security Assertion Markup Language (SAML) assertion. For more information about Web service security concepts and standards, see Security and Administrator's Guide for Web Services. |
|
Message Transmission Optimization Mechanism (MTOM) |
Binary content, such as an image in JPEG format, can be passed between the client and the Web service. In order to be passed, the binary content is typically inserted into an XML document as an Using Message Transmission Optimization Mechanism (MTOM), binary content can be sent as a MIME attachment, which reduces the transmission size on the wire. The binary content is semantically part of the XML document. Attaching an MTOM policy ensures that the message is converted to a MIME attachment before it is sent to the Web service or client. |
What are Policy Sets?
A policy set, which can contain multiple policy references, is an abstract representation that provides a means to attach policies globally to a range of subjects of the same type. Attaching policies globally using policy sets provides a mechanism for the administrator to ensure that all subjects are secured in situations where the developer, assembler, or deployer did not explicitly specify the policies to be attached. Policies that are attached using a policy set are considered externally attached.
Policy subjects to which policy sets can be attached include SOA components, SOA service endpoints, SOA references, Web services endpoints, Web service clients, Web service connections, and asynchronous callback clients. Policy sets can be attached at the following scopes:
-
Domain — all services in a domain
-
Server instance—all services in a server instance
-
Application—all services in an application
-
SOA composite—all services in a SOA composite
-
Application Module—all services in an application module
For details about using policy sets to globally attach policies, see "Attaching Policies Globally Using Policy Sets" in Security and Administrator's Guide for Web Services.
Oracle WSM Predefined Policies and Assertion Templates
Oracle Web Services Manager (WSM) provides a policy framework to manage and secure Web services consistently across your organization. Oracle WSM can be used by both developers, at design time, and system administrators in production environments. For more information about the Oracle WSM policy framework, see "Understanding Oracle WSM Policy Framework" in Security and Administrator's Guide for Web Services.
There is a set of predefined Oracle WSM policies and assertion templates that are automatically available when you install Oracle Fusion Middleware. The predefined policies are based on common best practice policy patterns used in customer deployments.
You can immediately begin attaching these predefined policies to your Web services or clients. You can configure the predefined policies or create a new policy by making a copy of one of the predefined policies.
Predefined policies are constructed using assertions based on predefined assertion templates. You can create new assertion templates, as required.
For more information about the predefined Oracle WSM policies and assertion templates, see the following sections in Security and Administrator's Guide for Web Services:
Attaching Policies to Web Services Using Annotations
You can use annotations defined in Table 2-2 to attach policies to Web services. The annotations are included in the oracle.webservices.annotations and oracle.webservices.annotations.async packages.
For more information about the annotations available, see Oracle Fusion Middleware Java API Reference for Oracle Web Services. For more information about the predefined policies, see "Predefined Polices" in Security and Administrator's Guide for Web Services.
Table 2-2 Annotations for Attaching Policies to Web Services
| Annotation | Description |
|---|---|
|
@AddressingPolicy |
Attaches a WS-Addressing policy to the Web service. For more information, see @AddressingPolicy Annotation. |
|
@CallbackManagementPolicy |
Attaches a management policy to the callback client of the asynchronous Web service that will connect to the callback service. For more information, see @CallbackManagementPolicy Annotation. |
|
@CallbackMtomPolicy |
Attaches an MTOM policy to the callback client of the asynchronous Web service that will connect to the callback service. For more information, see @CallbackMtomPolicy Annotation. |
|
@CallbackSecurityPolicy |
Attaches one or more security polices to the callback client of the asynchronous Web service that will connect to the callback service. By default, no security policies are attached. For more information, see @CallbackSecurityPolicy Annotation. |
|
@ManagementPolicy |
Attaches a management policy to the Web service. For more information, see @ManagementPolicy Annotation. |
|
@MtomPolicy |
Attaches an MTOM policy to the Web service. For more information, see @MtomPolicy Annotation. |
|
@SecurityPolicies |
Specifies an array of @SecurityPolicy annotations. Use this annotation if you want to attach more than one WS-Policy files to a class. For more information, see @SecurityPolicies Annotation. |
|
@SecurityPolicy |
Attaches a security policy to the Web service. For more information, see @SecurityPolicy Annotation. |
Attaching Policies Using Oracle JDeveloper
When creating an application using JDeveloper, you can take advantage of the wizards available to attach policies to Web services and clients.
For example, the following figure shows the Configure SOA WS Policies wizard that you can use to attach policies to SOA service or reference binding components quickly and easily.
For more information, see:
-
"Managing Policies" and "Attaching Policies to Binding Components and Service Components" in Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite.
-
"Securing Web Service Data Controls" in Oracle Application Development Framework Developer's Guide
-
"Creating Web Service Proxies" in the JDeveloper Online Help.
Attaching Policies Using Oracle Enterprise Manager
After a Web service or client is deployed, you can attach policies directly to endpoints using the Oracle Enterprise Manager Fusion Middleware Control. You can also attach policies globally to a set of endpoints using policy sets.
For example, Figure 2-2 shows the OWSM Policies tab on the Web Service Endpoint page from which you can attach policies to a Web service endpoint.
Figure 2-2 Attaching Policies Using Oracle Enterprise Manager
Description of "Figure 2-2 Attaching Policies Using Oracle Enterprise Manager"
Figure 2-3 shows the Policy Set Summary page from which you can create policy sets to attach policies globally to a range of endpoints.
Figure 2-3 Creating Policy Sets Using Oracle Enterprise Manager
Description of "Figure 2-3 Creating Policy Sets Using Oracle Enterprise Manager"
Complete details are provided in the following sections of Security and Administrator's Guide for Web Services:
Attaching Policies Using WebLogic Scripting Tool (WLST)
The Web services WLST policy management commands perform many of the same management functions that you can complete using Oracle Enterprise Manager Fusion Middleware Control.
After a Web service or client is deployed, you can attach policies directly to Oracle Infrastructure Web Service endpoints using WLST. You can also use WLST to create policy sets to attach policies globally to a range of endpoints.
Procedural information for using these commands is provided in the following sections of Security and Administrator's Guide for Web Services:
Reference information for these commands is provided in "Web Services Custom WLST Commands" in WebLogic Scripting Tool Command Reference.