The following sections provide SALT WS-SecurityPolicy (WSSP) 1.0 assertion reference information:
Oracle SALT implements part of WS-Security protocol version 1.0 for inbound services. Authentication with UsernameToken and X509v3Token are supported. WS-SecurityPolicy 1.0 assertions are used in WSDL definition to describe how the authentication is carried out. The WS-SecuirtyPolicy1.0 specification (2002) is supported in order to ensure the interoperability with Oracle WebLogic 9.x.
Below are all Oracle SALT supported WS-SecurityPolicy 1.0 assertions:
There are some extension assertions used in WebLogic 9.x, SALT only implements a subset of them. Integrity Assertion is only used when using X509v3 token for authentication. And the only message part can be specified for signature is the whole SOAP Body.
Figure F-1 shows a graphical representation of the Oracle SALT supported WS-SecurityPolicy 1.0 Assertion format in a WS-Policy file.
Listing F-1 demonstrates how to apply Username token authentication with WSSP 1.0 Assertions.
Oracle SALT provides a number of WS-SecurityPolicy 1.0 template files you can use for most typical Web Service applications. These policy files are located in directory TUXDIR/udataobj/salt/policy.
These template files can be referenced directly in the WSDF files with location value format:
For instance, if you want to configure signbody, you can specify the followings in your WSDF file:
<Policy location=”salt:wssp1.0-signbody.xml” />
Oracle SALT implements part of WebLogic 9.x / 10 WS-SecurityPolicy 1.0 assertions. For a complete list of WSSP 1.0 assertions supported by WebLogic, see
Specifies the algorithm used to canonicalize the SOAP message elements that are digitally signed.
Specifies additional metadata information that is associated with a particular type of security token. Depending on the type of security token, you must specify the following child elements:
This element does not have any attributes.
Specifies the digest algorithm that is used when digitally signing the specified parts of a SOAP message. Use the <MessageParts> sibling element to specify the parts of the SOAP message you want to digitally sign.
Specifies the type of security tokens (username or X.509) that are supported for authentication.
This element has no attributes.
Specifies that part or all of the SOAP message must be digitally signed, as well as the algorithms and keys that are used to sign the SOAP message.
For example, a Web Service may require that the entire body of the SOAP message must be digitally signed and only algorithms using SHA1 and an RSA key are accepted.
Specifies whether the security token, specified using the <SecurityToken> child element of <
Specifies the parts of the SOAP message that should be signed. SALT only supports certain pre-defined message part function, wsp:Body(), i.e. the entire SOAP body to be digitally signed.
The MessageParts assertion is always a child of a <Target> assertion. The <Target> assertion can be a child of an Integrity assertion (to specify how the SOAP message is digitally signed).
See Usage of MessageParts for more information about how to specify the parts of the SOAP message that should be signed.
Specifies the security token that is supported for authentication or digital signatures, depending on the parent element.
If this element is defined in the <Identity> parent element, then is specifies that a client application, when invoking the Web Service, must attach a security token to the SOAP request. For example, a Web Service might require that the client application present a Username token for the Web Service to be able to access Tuxedo service. If this element is part of <Integrity>, then it specifies the token used for digital signature.
The specific type of the security token is determined by the value of its TokenType attribute, as well as its parent element.
The default value of this attribute is true when used in the <Integrity> assertion.
The value of this attribute is always true when used in the <Identity> assertion, even if you explicitly set it to false.
Specifies the cryptographic algorithm used to compute the digital signature.
Specifies the list of supported security tokens that can be used for authentication, or digital signatures, depending on the parent element.
This element has no attributes.
Encapsulates information about which targets of a SOAP message are to be signed. When used in <Integrity>, you can specify the <DigestAlgorithm>, <Transform>, and <MessageParts> child elements.
Ideally, you can have one or more targets. But at most one target is enough for SALT, since SALT only supports the entire SOAP body to be configured for digital signature.
This element has no attributes.
Specifies the URI of a transformation algorithm that is applied to the parts of the SOAP message that are signed. Only can exist in a child element of the <Integrity> element.
You can specify zero or more transforms, which are executed in the order they appear in the <Target> parent element.
When you use the <Integrity> assertion in your WS-Policy file, you are required to also use the Target child assertion to specify the targets of the SOAP message to digitally sign. The <Target> assertion in turn requires that you use the <MessageParts> child assertion to specify the actual parts of the SOAP message that should be digitally signed. You can use the
Dialect attribute of <MessageParts> to specify the dialect used to identify the SOAP message parts. Oracle SALT Web services security module supports only the following dialect:
Be sure that you specify a message part that actually exists in the SOAP messages that result from a client invoke of a message-secured Web Service. If the Web Services security module encounters an inbound SOAP message that does not include a part that the WS-Policy file indicates should be signed or encrypted, then the Web Services security module returns an error and the invoke fails.
This section shows SALT supported functions that are used with the "http://schemas.xmlsoap.org/2002/12/wsse#part" dialect for selecting parts of a message:
You can only specify the entire SOAP body to be signed. It is recommended that you use the dialect that pre-defines the
wsp:Body() function for this purpose.
Listing F-2 shows a
wsp:Body() function example