Skip Headers
Oracle® Fusion Middleware Developer's Guide for Oracle Infrastructure Web Services
11g Release 1 (11.1.1)

Part Number E15184-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

2 Attaching Policies to Oracle Infrastructure Web Services

This chapter describes how to attach policies to Oracle Infrastructure Web services.

This chapter includes the following topics:

What Are Policies?

Policies describe the capabilities and requirements of a Web service such as whether and how a message must be secured, whether and how a message must be delivered reliably, and so on.

Oracle Fusion Middleware 11g Release 1 (11.1.1.6) supports the types of policies defined in Table 2-1.

Table 2-1 Types of Policies

Policy Description

WS-ReliableMessaging

Reliable messaging policies that implement the WS-ReliableMessaging standard describes a wire-level protocol that allows guaranteed delivery of SOAP messages, and can maintain the order of sequence in which a set of messages are delivered.

The technology can be used to ensure that messages are delivered in the correct order. If a message is delivered out of order, the receiving system can be configured to guarantee that the messages will be processed in the correct order. The system can also be configured to deliver messages at least once, not more than once, or exactly once. If a message is lost, the sending system re-transmits the message until the receiving system acknowledges it receipt.

Management

Management policies that log request, response, and fault messages to a message log. Management policies may include custom policies.

WS-Addressing

WS-Addressing policies that verify that SOAP messages include WS-Addressing headers in conformance with the WS-Addressing specification. Transport-level data is included in the XML message rather than relying on the network-level transport to convey this information.

Security

Security policies that implement the WS-Security 1.0 and 1.1 standards. They enforce message protection (message integrity and message confidentiality), and authentication and authorization of Web service requesters and providers. The following token profiles are supported: username token, X.509 certificate, Kerberos ticket, and Security Assertion Markup Language (SAML) assertion. For more information about Web service security concepts and standards, see Security and Administrator's Guide for Web Services.

Message Transmission Optimization Mechanism (MTOM)

Binary content, such as an image in JPEG format, can be passed between the client and the Web service. In order to be passed, the binary content is typically inserted into an XML document as an xsd:base64Binary string. Transmitting the binary content in this format greatly increase the size of the message sent over the wire and is expensive in terms of the required processing space and time.

Using Message Transmission Optimization Mechanism (MTOM), binary content can be sent as a MIME attachment, which reduces the transmission size on the wire. The binary content is semantically part of the XML document. Attaching an MTOM policy ensures that the message is converted to a MIME attachment before it is sent to the Web service or client.


What are Policy Sets?

A policy set, which can contain multiple policy references, is an abstract representation that provides a means to attach policies globally to a range of subjects of the same type. Attaching policies globally using policy sets provides a mechanism for the administrator to ensure that all subjects are secured in situations where the developer, assembler, or deployer did not explicitly specify the policies to be attached. Policies that are attached using a policy set are considered externally attached.

Policy sets provide the ability to specify a runtime constraint that determines the context in which the policy set is relevant. For example, you can specify that a service use message protection when communicating with external clients only since the message may be transmitted over insecure public networks. However, when communicating with internal clients on a trusted network, message protection may not be required.

Policy subjects to which policy sets can be attached include SOA components, SOA service endpoints, SOA references, Web services endpoints, Web service clients, Web service connections, and asynchronous callback clients. Policy sets can be attached at the following scopes:

For details about using policy sets to globally attach policies, see "Attaching Policies Globally Using Policy Sets" in Security and Administrator's Guide for Web Services.

Oracle WSM Predefined Policies and Assertion Templates

Oracle Web Services Manager (WSM) provides a policy framework to manage and secure Web services consistently across your organization. Oracle WSM can be used by both developers, at design time, and system administrators in production environments. For more information about the Oracle WSM policy framework, see "Understanding Oracle WSM Policy Framework" in Security and Administrator's Guide for Web Services.

There is a set of predefined Oracle WSM policies and assertion templates that are automatically available when you install Oracle Fusion Middleware. The predefined policies are based on common best practice policy patterns used in customer deployments.

You can immediately begin attaching these predefined policies to your Web services or clients. You can configure the predefined policies or create a new policy by making a copy of one of the predefined policies.

Predefined policies are constructed using assertions based on predefined assertion templates. You can create new assertion templates, as required.

For more information about the predefined Oracle WSM policies and assertion templates, see the following sections in Security and Administrator's Guide for Web Services:

Attaching Policies to Web Services Using Annotations

You can use annotations defined in Table 2-2 to attach policies to Web services. The annotations are included in the oracle.webservices.annotations and oracle.webservices.annotations.async packages.

For more information about the annotations available, see Oracle Fusion Middleware Java API Reference for Oracle Web Services. For more information about the predefined policies, see "Predefined Polices" in Security and Administrator's Guide for Web Services.

Table 2-2 Annotations for Attaching Policies to Web Services

Annotation Description

@AddressingPolicy

Attaches a WS-Addressing policy to the Web service. For more information, see @AddressingPolicy Annotation.

@CallbackManagementPolicy

Attaches a management policy to the callback client of the asynchronous Web service that will connect to the callback service. For more information, see @CallbackManagementPolicy Annotation.

@CallbackMtomPolicy

Attaches an MTOM policy to the callback client of the asynchronous Web service that will connect to the callback service. For more information, see @CallbackMtomPolicy Annotation.

@CallbackSecurityPolicy

Attaches one or more security polices to the callback client of the asynchronous Web service that will connect to the callback service. By default, no security policies are attached. For more information, see @CallbackSecurityPolicy Annotation.

@ManagementPolicy

Attaches a management policy to the Web service. For more information, see @ManagementPolicy Annotation.

@MtomPolicy

Attaches an MTOM policy to the Web service. For more information, see @MtomPolicy Annotation.

@SecurityPolicies

Specifies an array of @SecurityPolicy annotations. Use this annotation if you want to attach more than one WS-Policy files to a class. For more information, see @SecurityPolicies Annotation.

@SecurityPolicy

Attaches a security policy to the Web service. For more information, see @SecurityPolicy Annotation.


Attaching Policies Using Oracle JDeveloper

When creating an application using JDeveloper, you can take advantage of the wizards available to attach policies to Web services and clients.

For example, the following figure shows the Configure SOA WS Policies wizard that you can use to attach policies to SOA service or reference binding components quickly and easily.

Figure 2-1 Configure SOA WS Policies Wizard

Description of Figure 2-1 follows
Description of "Figure 2-1 Configure SOA WS Policies Wizard"

For more information, see:

Attaching Policies Using Oracle Enterprise Manager

After a Web service or client is deployed, you can attach policies directly to endpoints using the Oracle Enterprise Manager Fusion Middleware Control. You can also attach policies globally to a set of endpoints using policy sets.

For example, Figure 2-2 shows the OWSM Policies tab on the Web Service Endpoint page from which you can attach policies to a Web service endpoint.

Figure 2-2 Attaching Policies Using Oracle Enterprise Manager

Description of Figure 2-2 follows
Description of "Figure 2-2 Attaching Policies Using Oracle Enterprise Manager"

Figure 2-3 shows the Policy Set Summary page from which you can create policy sets to attach policies globally to a range of endpoints.

Figure 2-3 Creating Policy Sets Using Oracle Enterprise Manager

Description of Figure 2-3 follows
Description of "Figure 2-3 Creating Policy Sets Using Oracle Enterprise Manager"

Complete details are provided in the following sections of Security and Administrator's Guide for Web Services:

Attaching Policies Using WebLogic Scripting Tool (WLST)

The Web services WLST policy management commands perform many of the same management functions that you can complete using Oracle Enterprise Manager Fusion Middleware Control.

After a Web service or client is deployed, you can attach policies directly to Oracle Infrastructure Web Service endpoints using WLST. You can also use WLST to create policy sets to attach policies globally to a range of endpoints.

Procedural information for using these commands is provided in the following sections of Security and Administrator's Guide for Web Services:

Reference information for these commands is provided in "Web Services Custom WLST Commands" in WebLogic Scripting Tool Command Reference.