The WSRP specification does not specify which security techniques should be employed, but encourages anyone using message-level security to use WS-Security standards. The specification makes mention of transport-level security, but only requires that "a Producer's WSDL declare ports for an HTTPS service entry point." This chapter discusses the security options supported by the Oracle WebCenter WSRP Producer for .NET.
The Oracle WebCenter WSRP Producer for .NET supports two types of WS-Security token profiles: SAML and Username Token (UNT). For details on WS-Security standards, see the OASIS WS-Security site:
There are two WSDL files that contain WSS policy information:
The WSRPService.wsdl file should include the following as a child of the root element
<wsdl:definitions> and before the
<wsp:UsingPolicy wsdl:Required="true" /> <wsp:Policy s1:Id="SAMLAuth.xml"> <wsp:All> <wssp:Identity> <wssp:SupportedTokens> <wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID"> <wssp:Claims> <wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod> </wssp:Claims> </wssp:SecurityToken> </wssp:SupportedTokens> </wssp:Identity> </wsp:All> </wsp:Policy>
<wsp:UsingPolicy wsdl:Required="true" /> <wsp:Policy s1:Id="UNTAuth.xml"> <wsp:All> <wssp:Identity> <wssp:SupportedTokens> <wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken"> <wssp:UsePassword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"/> </wssp:SecurityToken> </wssp:SupportedTokens> </wssp:Identity> </wsp:All> </wsp:Policy>
UsingPolicy must be set to "required" or certain WSRP consumers (such as Oracle WebLogic Portal) will not honor the security policy. The Policy node is a standard WS-Security policy element where SAML v1.1 sender-vouches confirmation is defined. See the WS-Security specification for details.
The most important piece to note for WSDL configuration is the
Id attribute for the policy. This must be referenced in the wsrp*bindings.wsdl file. Open the wsrp_v1_bindings.wsdl or wsrp-2.0-bindings.wsdl file and find the
<wsdl:input> elements with the names
performBlockingInteraction. These sections should reference which policy to use. For example, if the Id for the policy in WSRPService is "SAMLAuth.xml", the policy reference in wsrp*bindings.wsdl would look like the following:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:PolicyReference URI="#SAMLAuth.xml"/> </wsp:Policy>
(If the Id for the policy in WSRPService.wsdl is "UNTAuth.xml", the PolicyReference URI value in wsrp*bindings.wsdl would be "#UNTAuth.xml".)
The Oracle WebCenter WSRP Producer for .NET uses Microsoft Web Services Extensions (WSE) 2.0 SP3. This section discusses the default way in which WSE is set up to handle WS-Security tokens. To learn more about WSE and security tokens, refer to the Microsoft documentation (
Security aspects of WSE are managed under the
<security> element under the
<microsoft.web.services2> element in Web.config.
The default UNT and SAML Security Token Managers defined in Web.config do not actually perform authentication. Instead, they strip off the token XML and provide it to individual portlets registered under the WSRP producer. This allows individual portlets to implement their own authentication and authorization methodologies. To implement authentication at the WSRP SOAP endpoints, create your own SecurityTokenManager for WSE following the Microsoft documentation.
WSE does not properly handle WSS 1.0 security tokens sent by the Oracle WebCenter Portal WSRP Consumer, so the Oracle WebCenter WSRP Producer for .NET uses a request filter to decrypt any encrypted content, validate signatures, and then pass the modified SOAP message without encryption and signature to WSE. To learn more about the default request filter implemented for security tokens sent from Oracle WebCenter Portal, see the development tutorials in Section 5, "Implementing Common Development Scenarios."
To learn more about the default UNT and Security Token Managers, see Section 5.9, "Setting Up Security Tokens" in the next section. Source code for the default SecurityTokenManager is available in the
\wsrpdefault\src folder in the installation directory.
To set up SSL (either one-way or two-way), follow the Microsoft documentation on configuring IIS and the documentation provided for your WSRP consumer portal. Use "https" on all endpoint URLs in WSRPService.wsdl. For WSRP resources, the Oracle WebCenter WSRP Producer for .NET will determine whether to use http or https depending on which was used to access the endpoint.
Two-way SSL is not supported in Oracle WebCenter Portal.