You can use existing Oracle Workspace Studio policies to protect Security Token Service Web Service endpoints.
For instance:
classpath mode: Existing Oracle Workspace Studio policies defined in $ORACLE_IDM_HOME/oam/server/policy/sts-policies.jar
are used in this mode
SOA deployment: Policies defined in the Oracle WSM Policy Manager available from a SOA deployment are used
The following topics describe how to manage Web Service Security Policies for Security Token Service:
WS-Security Policies protect Security Token Service WS Endpoint. You can modify these policies.
TheWS-Security Policies that Oracle provides cover most use cases.
See About Security Token Service End Points and Policies.
See "Attaching Policies to Web Services" in the Administering Web Services
Predefined Oracle Web Services Manager policies are constructed using assertions based on predefined assertion templates. For WSS Policy classpath mode, the OWSM Agent retrieves policies from sts-policies.jar located on the classpath.
If SOA is not deployed in the WebLogic Server domain, the Security Token Service installer configures the WebLogic Server domain for WSS Policy classpath mode. The JAR file containing the WSS Policies used when the WLS Domain is configured for classpath is located at:
$ORACLE_IDM_HOME/oam/server/policy/sts-policies.jar
When your environment is in classpath mode, perform the following tasks to Administrators confirm sts-policies.jar is located on the classpath.
See "About Security Token Service End Points and Policies".
See "Oracle WSM Predefined Policies and Assertion Templates" in the Administering Web Services
The Oracle WSM Policy Manager is the security linchpin for Oracle Fusion Middleware Web services and SOA applications.
For more information about how the Oracle WSM Policy Manager manages the policy framework, See "Understanding Oracle WSM Policy Framework" in Administering Web Services.
At design time, you attach Oracle WSM and WebLogic Web service policies to applications programmatically using your favorite IDE, such as Oracle JDeveloper. Alternatively, at deployment time you attach policies to SOA composites, ADF, and WebCenter applications using the Oracle Enterprise Manager Fusion Middleware Control, and to WebLogic Web services (Java EE) using the WebLogic Server Administration Console.
System Administrators can leverage the Oracle WSM through the Oracle Enterprise Manager Fusion Middleware Control to:
Centrally define policies using the Oracle WSM Policy Manager.
Enforce Oracle WSM security and management polices locally at run time.
When your environment is integrated with the OWSM Policy Manager, perform the following tasks to add or modify WSS policies for Security Token Service using Oracle Web Services Manager.
Note:
All of Oracle WSM's functionality is accessible to Administrators from Oracle Enterprise Manager Fusion Middleware Control.
See Part II, "Basic Administration" and Part III, "Advanced Administration" in the Administering Web Services.