Reference Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Oracle SALT WS-SecurityPolicy Assertion 1.2 Reference

The following sections provide SALT WSSP1.2 reference information:

 


Overview

Oracle SALT implements part of WS-Security protocol version 1.1 for inbound services. Authentication with UsernameToken and X509v3Token are supported. To describe how the authentication is carried out, WS-SecurityPolicy is used in WSDL definition.

In order to communicate with Oracle WebLogic Release 10 via WS-Security 1.1, SALT implements the counterparts of WS-SecurityPolicy (WSSP) 1.2 supported by WebLogic 10. But the supported WSSP 1.2 assertions are limited as follows:

For more details about limitations of WS-SecurityPolicy 1.2 assertions, please refer to Oracle SALT WSSP1.2 Assertion Description.

For more information about WSSP 1.2 assertions supported by WebLogic 10, please refer to “Using WS-SecurityPolicy 1.2 Policy Files in the Oracle WebLogic Web Services Documentation.

In this document, XML namespace prefix “sp” stands for namespace URI “http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512”.

 


Oracle SALT WSSP 1.2 Policy File Example

Listing E-1 demonstrates how to apply Username token authentication with WSSP 1.2 assertions.

Listing E-1 WSSP 1.2 Policy File Sample
<!-Binding Policy -->
<wsp:Policy
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512">
  <sp:TransportBinding>
    <wsp:Policy>
      <sp:TransportToken>
        <wsp:Policy>
          <sp:HttpToken/>
        </wsp:Policy>
      </sp:TransportToken>
      <sp:AlgorithmSuite>
        <wsp:Policy>
          <sp:Basic256/>
        </wsp:Policy>
      </sp:AlgorithmSuite>
      <sp:Layout>
        <wsp:Policy>
          <sp:Lax/>
        </wsp:Policy>
      </sp:Layout>
      <sp:IncludeTimestamp/>
    </wsp:Policy>
  </sp:TransportBinding>
  <sp:SupportingTokens>
    <wsp:Policy>
      <sp:UsernameToken
          sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
        <wsp:Policy>
          <sp:WssUsernameToken10/>
        </wsp:Policy>
      </sp:UsernameToken>
    </wsp:Policy>
  </sp:SupportingTokens>
</wsp:Policy>

 


Oracle SALT WSSP 1.2 Policy Templates

Oracle SALT provides a number of WS-SecurityPolicy 1.2 template files you can use for most typical Web Service applications. These policy files are located in directory TUXDIR/udataobj/salt/policy.

Table E-1 Oracle SALT WSSP 1.2 Policy Template Files
Policy File
Description
wssp1.2-UsernameToken-plain-auth.xml
Username token with plain text password is sent in the request for authentication.
wssp1.2-x509v3-auth.xml
X509 V3 binary token (certificate) is sent in the request for authentication. The request is optionally signed with some message parts in the requests.
wssp1.2-signbody.xml
The entire SOAP body is signed.

These template files can be referenced directly in the WSDF files with location value format:

salt:<template_file_name>

For example, if you want to configure signbody, you can specify the followings in your WSDF file:

<Policy location=”salt:wssp1.2-signbody.xml” />

 


Oracle SALT WSSP1.2 Assertion Description

Below are all Oracle SALT supported WSSP 1.2 assertions and limitations for each one. Customers should obey the limitation when writing their own customized WSSP 1.2 policy files. Oracle SALT does not check any customized WSSP 1.2 policy file against the limitation rules. If something claimed in the customized WSSP 1.2 policy file cannot be supported by Oracle SALT, web service client program may result run time errors.

WS-SecurityPolicy 1.2 assertions not listed below are definitely not supported by Oracle SALT.

<sp:SignedParts>

Specifies the parts of a SOAP message to be digitally signed. Oracle SALT only supports the entire SOAP body to be signed.

Limitations

<sp:UsernameToken>

Specifies username token to be included in the SOAP message. Oracle SALT only supports username token with clear text password defined in WS-Security Username Token Profile 1.0. <UsernameToken> assertion must be used as a nested assertion of Security Binding Assertions and Supporting Token Assertions.

Limitations

<sp:X509Token>

Specifies a binary security token carrying an X509 token to be included in the SOAP message. <X509Token> assertion must be used as a nested assertion of Security Binding Assertions and Supporting Token Assertions.

Limitations

<sp:AlgorithmSuite>

Specifies the algorithm suite to be used for performing cryptographic operations with security tokens. <AlgorithmSuite> Assertion must be used as a nested assertion of Security Binding Assertions.

Limitations

<sp:Layout>

Specifies the layout rules when adding items to the security header. <Layout> Assertion must be used as a nested assertion of Security Binding Assertions.

Limitations

<sp:TransportBinding >

Specifies the message protection and security correlation is provided using the means of the transport. The <TransportBinding> token is used mainly for carrying isolated Username Token in the SOAP message.

Limitations

Listing E-2 shows an Oracle SALT supported TransportToken Assertion example.

Listing E-2 Supported TransportToken Assertions
  <sp:TransportBinding>
    <wsp:Policy>
      <sp:TransportToken>
        <wsp:Policy>
          <sp:HttpToken />
        </wsp:Policy>
      </sp:TransportToken>
      <sp:Algorithm>
        <wsp:Policy>
          <sp:Basic256>
        </wsp:Policy>
      </sp:Algorithm>
    </wsp:Policy>
  </sp:TransportBinding>

<sp:AsymmetricBinding>

Specifies the message protection is provided by means defined in WS-Security SOAP Message Security, and the request and response message can use distinct keys for encryption and signature, because of their different lifecycles. The <AsymmetricBinding> Assertion is used mainly for carrying X.509 binary security token in the SOAP request messages for inbound calls.

Limitations

Listing E-3 shows an Oracle SALT supported AsymmetricBinding assertion example. This assertion indicates the X.509 V3 binary token that defined in WS-Security X.509 Token Profile 1.1 specification is used for digital signature for the SOAP request messages and the X.509 token is always included in the SOAP message security header:

Listing E-3 Supported AsymmetricBinding Assertion
  <sp:AsymmetricBinding>
    <wsp:Policy>
      <sp:InitiatorToken>
        <wsp:Policy>
          <sp:X509Token               sp:IncludeToken=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient”>
            <wsp:Policy>
              <sp:WssX509V3Token11 />
            </wsp:Policy>
          </sp:X509Token>
        </wsp:Policy>
      </sp:InitiatorToken>
      <sp:RecipientToken>
        <wsp:Policy>
          <sp:X509Token               sp:IncludeToken=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/Never”>
            <wsp:Policy>
              <sp:WssX509V3Token11 />
            </wsp:Policy>
          </sp:X509Token>
        </wsp:Policy>
      </sp:RecipientToken>
      <sp:Algorithm>
        <wsp:Policy>
          <sp:Basic256>
        </wsp:Policy>
      </sp:Algorithm>
      <sp:Layout>
        <wsp:Policy>
          <sp:Lax>
        </wsp:Policy>
      </sp:Layout>
      <sp:IncludeTimestamp />
    </wsp:Policy>
  </sp:AsymmetricBinding>

<sp:SupportingToken>

Specifies security tokens that are included in the security header and may optionally include additional message parts to sign and/or encrypt. For Oracle SALT, <SupportingToken> Assertion is used mainly to include Username Token in the security header when <sp:AsymmetricBinding> Assertion is used.

Limitations

Listing E-4 shows an Oracle SALT supported SupportingToken assertion example. This assertion indicates the Username token is always included in SOAP request messages:

Listing E-4 Supported SupportingToken Assertion
  <sp:SupportingTokens>
    <wsp:Policy>
      <sp:UsernameToken           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
        <wsp:Policy>
          <sp:WssUsernameToken10/>
        </wsp:Policy>
      </sp:UsernameToken>
    </wsp:Policy>
  </sp:SupportingTokens>

  Back to Top       Previous  Next