Fusion Middleware Documentation
Advanced Search


Securing Web Services and Managing Policies with Oracle Web Services Manager
Close Window

Table of Contents

Show All | Collapse

18 Predefined Policies

This chapter describes the Oracle Web Services Manager (OWSM) predefined policies, organized by category. For more information about the predefined policy categories, see "Policy Categories" in Understanding Oracle Web Services Manager. For more information about attaching policies, see "Attaching Policies".

This chapter contains the following sections:

Notes:

  • The predefined policies and assertion templates distributed with the current release are read only. You must copy the policy or assertion template before modifying it; you can copy policies in the security and management categories only. You also have the option of configuring the attributes in an assertion after you have added it to a policy. For information about managing the assertion templates and adding them to policies, see "Managing Policy Assertion Templates".

  • If you have modified any of the predefined policies or assertion templates from the previous release (11g), they will be replaced by read only versions in the next release. For more information, see "Overview of Web Services Policy Management".

  • When attaching OWSM 12c predefined policies, if you specify a value of blank (" ") in the Value field, the default value will be in effect. If you have imported 11g policies or any custom policies, ensure that the policy has a valid value in the Default field to achieve the same effect; otherwise, the specified value will be picked up.

18.1 Addressing Policies

Table 18-1 summarize the predefined OWSM addressing policies.

Table 18-1 Predefined OWSM Addressing Policies

Configuration Policy Description

oracle/wsaddr_policy

Checks inbound messages for the presence of WS-Addressing headers conforming to the W3C 2005 Final WS-Addressing Policy standard.

oracle/no_addressing_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached WS Addressing policy at a higher scope.


For more information about attaching Web services addressing policies, see:

18.1.1 oracle/wsaddr_policy

Display Name: WS Addressing Policy

Category: WS-Addressing

Description

Checks inbound messages for the presence of WS-Addressing headers conforming to the W3C 2005 Final WS-Addressing Policy standard. In addition, it causes the platform to include a WS-Addressing header in outbound SOAP messages.

For more information about configuring WS-Addressing on the Web service client, see Web Services Addressing 1.0 - SOAP Binding specification (http://www.w3.org/TR/ws-addr-soap/).

Note:

Please note the following:

  • This policy cannot be duplicated.

  • The assertion template associated with this policy is not available for generating new policies.

  • This policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-3 lists the configuration property that you can override for the addressing policy.

Table 18-2 Configuration Property for oracle/wsaddr_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.1.2 oracle/no_addressing_policy

Display Name: No Behavior Addressing Policy

Category: WS-Addressing

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached WS Addressing policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-3 lists the configuration property that you can override for the no behavior policy.

Table 18-3 Configuration Property for oracle/no_addressing_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.2 Atomic Transaction Policies

Table 18-4 summarize the predefined OWSM atomic transaction policies.

Table 18-4 Predefined OWSM Atomic Transaction Policies

Configuration Policy Description

oracle/atomic_transaction_policy

Enables and configures support for atomic transactions.

oracle/no_atomic_transaction_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached atomic transaction Web service policy at a higher scope.


For more information about attaching Web services atomic transaction policies, see:

18.2.1 oracle/atomic_transaction_policy

Display Name: Atomic Transaction Policy

Category: Atomic Transactions

Description

Enables and configures support for atomic transactions. For more information about atomic transactions, see "Using Web Services Atomic Transactions" in Developing Oracle Infrastructure Web Services.

Note:

Please note the following:

  • This atomic transactions policy cannot be duplicated.

  • The assertion template associated with this atomic transactions policy is not available for generating new policies.

  • This atomic transactions policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-5 lists the configuration properties that you can override for atomic transactions.

Table 18-5 Configuration Properties for oracle/atomic_transaction_policy

Name Description Default Required?

flow.type

Whether the Web services atomic transaction coordination context is passed with the transaction flow. Valid values include:

  • MANDATORY

  • NEVER

  • SUPPORTS

For more information about the valid values, see "Configuring Web Service Atomic Transactions" in Developing Oracle Infrastructure Web Services.

SUPPORTS

Optional

version

Version of the Web services atomic transaction coordination context that is supported. For Web service clients, it specifies the version used for outbound messages only. The value specified must be consistent across the entire transaction. Valid values include:

  • DEFAULT

  • WSAT10

  • WSAT11

  • WSAT12

For more information about the valid values, see "Configuring Web Service Atomic Transactions" in Developing Oracle Infrastructure Web Services.

DEFAULT

Optional

reference.priority

See "reference.priority".

None

Optional


18.2.2 oracle/no_atomic_transaction_policy

Display Name: No Atomic Transaction Policy

Category: Atomic Transactions

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached atomic transaction Web service policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

For more information about atomic transactions, see "Using Web Services Atomic Transactions" in Developing Oracle Infrastructure Web Services.

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-6 lists the configuration property that you can override for the no behavior policy.

Table 18-6 Configuration Property for oracle/no_atomic_transaction_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3 Configuration Policies

Table 18-7 summarize the predefined OWSM configuration policies.

Note:

Please note the following:

  • Configuration policies cannot be duplicated.

  • The assertion templates associated with configuration policies are not available for generating new policies.

  • Configuration policies are not supported for Java EE (WebLogic) Web services.

Table 18-7 Predefined OWSM Configuration Policies

Configuration Policy Description

oracle/async_web_service_policy

Enables and configures an asynchronous Web service.

oracle/cache_binary_content_policy

Enables and configures support for binary caching of content.

oracle/fast_infoset_client_policy

Enables and configures Fast Infoset on the Web service client.

oracle/fast_infoset_service_policy

Enables Fast Infoset on the Web service.

oracle/max_request_size_policy

Configures the maximum size, in bytes, of the request message that can be sent to the Web service.

oracle/mex_request_processing_service_policy

Enables the exchange of Web service metadata.

oracle/mtom_encode_fault_service_policy

Enables the creation of MTOM-enabled SOAP fault messages when MTOM is enabled.

oracle/no_async_web_service_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached asynchronous Web service policy at a higher scope.

oracle/no_cache_binary_content_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached binary caching policy at a higher scope.

oracle/no_fast_infoset_client_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Fast Infoset client policy at a higher scope.

oracle/no_fast_infoset_service_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Fast Infoset service policy at a higher scope.

oracle/no_max_request_size_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached maximum request size policy at a higher scope.

oracle/no_mex_request_processing_service_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Web service metadata exchange policy at a higher scope.

oracle/no_mtom_encode_fault_service_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP fault MTOM encoding policy at a higher scope.

oracle/no_persistence_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached persistence policy at a higher scope.

oracle/no_pox_http_binding_service_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Plain Old XML (POX) policy at a higher scope.

oracle/no_request_processing_service_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached request processing policy at a higher scope.

oracle/no_schema_validation_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached schema validation policy at a higher scope.

oracle/no_soap_request_processing_service_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP request processing policy at a higher scope.

oracle/no_test_page_processing_service_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached test page processing policy at a higher scope.

oracle/no_ws_logging_level_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached logging policy at a higher scope.

oracle/no_wsdl_request_processing_service_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached WSDL request processing policy at a higher scope.

oracle/persistence_policy

Configures the secure conversation persistence mechanism for the Web service.

oracle/pox_http_binding_service_policy

Enables an endpoint to receive non-SOAP XML messages that are processed by a user defined javax.xml.ws.Provider<T>.invoke method.

oracle/request_processing_service_policy

Enables the Web service endpoint to process incoming requests.

oracle/schema_validation_policy

Enables the validation of request messages against the schema.

oracle/soap_request_processing_service_policy

Enables the processing of SOAP requests on the Web service endpoint.

oracle/test_page_processing_policy

Enables the Web Service Test Client, as described in "Using the Web Services Test Client" in Administering Web Services.

oracle/ws_logging_level_policy

Sets the logging level for diagnostic logs for the Web service endpoint.

oracle/wsdl_request_processing_service_policy

Enables access to the WSDL for the Web service.


For more information about attaching configuration policies, see:

18.3.1 oracle/async_web_service_policy

Display Name: Async Web Service Policy

Category: Configuration

Description

Enables and configures an asynchronous Web service.

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-10 lists the configuration properties that you can override for asynchronous Web services.

Table 18-8 Configuration Property for oracle/async_web_service_policy

Name Description Default Required?

jms.access.user

The user that is authorized to use the JMS queues.

Note: For most users, the OracleSystemUser is sufficient. However, if you need to change this user to another user in your security realm, you can do so using the instructions provided in "Changing the JMS System User for Asynchronous Web Services Using Fusion Middleware Control" in Administering Web Services..

OracleSystemUser

Optional

jms.connection.factory

Name of the connection factory for the JMS request queue.

weblogic.jms.XAConnectionFactory (default JMS connection factory)

Optional

jms.queue

Name of the request queue.

oracle.j2ee.ws.server.async.DefaultRequestQueue

Optional

jms.response.connection.factory

Name of the connection factory for the JMS response queue.

weblogic.jms.XAConnectionFactory (default JMS connection factory)

Optional

jms.response.queue

Name of the request queue.

oracle.j2ee.ws.server.async.DefaultResponseQueue

Optional

reference.priority

See "reference.priority".

None

Optional


18.3.2 oracle/cache_binary_content_policy

Display Name: Cache Binary Content Policy

Category: Configuration

Description

Enables and configures support for binary caching of content.

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-9 lists the configuration properties that you can override for binary caching.

Table 18-9 Configuration Properties for oracle/cache_binary_content_policy

Name Description Default Required?

mode

Value that specifies the runtime requirements of XTI scalable DOM in OraSAAJ. Valid values include:

  • com.oracle.webservices.api.CacheBinaryContentMode.BINARY—Fastest, but most memory intensive. Not recommended for production.

  • com.oracle.webservices.api.CacheBinaryContentMode.FILE—One temporary file per document. Recommended approach. Need to specify the directory in which to store the temporary files as arg1.

  • com.oracle.webservices.api.CacheBinaryContentMode.BLOB—Slowest. Need to specify the URL of the DBMS connection as arg1.

BINARY

Optional

arg1

Boolean value that defines one of the following values:

  • If mode is set to BINARY, this argument is not required.

  • If mode is set to FILE, specifies the directory in which to store the temporary files as arg1.

  • If mode is set to BLOB, specifies the URL of the DBMS connection.

java.io.tmpdir

Optional

reference.priority

See "reference.priority".

None

Optional


18.3.3 oracle/fast_infoset_client_policy

Display Name: Fast Infoset Client Policy

Category: Configuration

Description

Enables and configures Fast Infoset on the Web service client.

For more information about Fast Infoset, see:

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-10 lists the configuration properties that you can override for Fast Infoset clients.

Table 18-10 Configuration Properties for oracle/fastinfoset_client_policy

Name Description Default Required?

fast.infoset.content.negotiation

Value that specifies the Fast Infoset content negotiation setting. Valid values include:

  • OPTIMISTIC—Assumes that Fast Infoset is enabled on the service.

  • PESSIMISTIC—Initial request from client is sent without Fast Infoset enabled. If it is determined that Fast Infoset is enabled on the service, subsequent requests will be sent with FastInfoset enabled on the client.

  • NONE—Client does not support Fast Infoset.

NONE

Optional

reference.priority

See "reference.priority".

None

Optional


18.3.4 oracle/fast_infoset_service_policy

Display Name: Fast Infoset Service Policy

Category: Configuration

Description

Enables Fast Infoset on the Web service.

For more information about Fast Infoset, see:

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-11 lists the configuration properties that you can override for Fast Infoset Web services.

Table 18-11 Configuration Properties for oracle/fastinfoset_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.5 oracle/max_request_size_policy

Display Name: Max Request Size Policy

Category: Configuration

Description

Configures the maximum size, in bytes, of the request message that can be sent to the Web service.

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-12 lists the configuration properties that you can override when enabling maximum request size on the Web service.

Table 18-12 Configuration Properties for oracle/max_request_size_policy

Name Description Default Required?

max.request.size

Maximum size of the request message, in bytes.

A value of -1 indicates that there is no maximum request size.

-1

Optional

reference.priority

See "reference.priority".

None

Optional


18.3.6 oracle/mex_request_processing_service_policy

Display Name: MEX Request Processing Service Policy

Category: Configuration

Description

Enables the exchange of Web service metadata.

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-13 lists the configuration properties that you can override when enabling the exchange of Web service metadata.

Table 18-13 Configuration Properties for oracle/mex_request_processing_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.7 oracle/mtom_encode_fault_service_policy

Display Name: MTOM Encode Fault Service Policy

Category: Configuration

Description

Enables the creation of MTOM-enabled SOAP fault messages when MTOM is enabled.

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-14 lists the configuration properties that you can override when enabling MTOM encoding for SOAP faults.

Table 18-14 Configuration Properties for oracle/mtom_encode_fault_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.8 oracle/no_async_web_service_policy

Display Name: No Async Web Service Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached asynchronous Web service policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-15 lists the configuration property that you can override for the no behavior policy.

Table 18-15 Configuration Property for oracle/no_async_web_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.9 oracle/no_cache_binary_content_policy

Display Name: No Cache Binary Content Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached binary caching policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-16 lists the configuration property that you can override for the no behavior policy.

Table 18-16 Configuration Property for oracle/no_cache_binary_content_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.10 oracle/no_fast_infoset_client_policy

Display Name: No Fast Infoset Client Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Fast Infoset client policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-17 lists the configuration property that you can override for the no behavior policy.

Table 18-17 Configuration Property for oracle/no_fast_infoset_client_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.11 oracle/no_fast_infoset_service_policy

Display Name: No Fast Infoset Service Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Fast Infoset service policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-18 lists the configuration property that you can override for the no behavior policy.

Table 18-18 Configuration Property for oracle/no_fast_infoset_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.12 oracle/no_max_request_size_policy

Display Name: No Max Request Size Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached maximum request size policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-19 lists the configuration property that you can override for the no behavior policy.

Table 18-19 Configuration Property for oracle/no_max_request_size_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.13 oracle/no_mex_request_processing_service_policy

Display Name: No MEX Request Processing Service Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Web service metadata exchange policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-20 lists the configuration property that you can override for the no behavior policy.

Table 18-20 Configuration Property for oracle/no_mex_request_processing_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.14 oracle/no_mtom_encode_fault_service_policy

Display Name: No MTOM Encode Fault Service Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP fault MTOM encoding policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-21 lists the configuration property that you can override for the no behavior policy.

Table 18-21 Configuration Property for oracle/no_mex_request_processing_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.15 oracle/no_persistence_policy

Display Name: No Persistence Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached persistence policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-22 lists the configuration property that you can override for the no behavior policy.

Table 18-22 Configuration Property for oracle/no_persistence_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.16 oracle/no_pox_http_binding_service_policy

Display Name: No Pox Http Binding Service Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Plain Old XML (POX) policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-23 lists the configuration property that you can override for the no behavior policy.

Table 18-23 Configuration Property for oracle/no_pox_http_binding_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.17 oracle/no_request_processing_service_policy

Display Name: No Request Processing Service Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached request processing policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-24 lists the configuration property that you can override for the no behavior policy.

Table 18-24 Configuration Property for oracle/no_request_processing_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.18 oracle/no_schema_validation_policy

Display Name: No Schema Validation Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached schema validation policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-25 lists the configuration property that you can override for the no behavior policy.

Table 18-25 Configuration Property for oracle/no_schema_validation_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.19 oracle/no_soap_request_processing_service_policy

Display Name: No Soap Request Processing Service Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP request processing policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-26 lists the configuration property that you can override for the no behavior policy.

Table 18-26 Configuration Property for oracle/no_soap_request_processing_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.20 oracle/no_test_page_processing_service_policy

Display Name: No Test Page Processing Service Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached test page processing policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-27 lists the configuration property that you can override for the no behavior policy.

Table 18-27 Configuration Property for oracle/no_test_page_processing_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.21 oracle/no_ws_logging_level_policy

Display Name: No Ws Logging Level Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached logging policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-28 lists the configuration property that you can override for the no behavior policy.

Table 18-28 Configuration Property for oracle/no_ws_logging_level_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.22 oracle/no_wsdl_request_processing_service_policy

Display Name: No Wsdl Request Processing Service Policy

Category: Configuration

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached WSDL request processing policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-29 lists the configuration property that you can override for the no behavior policy.

Table 18-29 Configuration Property for oracle/no_wsdl_request_processing_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.23 oracle/persistence_policy

Display Name: Persistence Policy

Category: Configuration

Description

Configures the secure conversation persistence mechanism for the Web service.

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-30 lists the configuration properties that you can override when enabling the policy.

Table 18-30 Configuration Properties for oracle/persistence_policy

Attribute Description Default Required?

providerName

Identifies the persistence provider registered in the system. Possible values are:

  • oracle:jrf:Memory is the in-memory-based persistence provider.

  • oracle:jrf:Coherence is the integrated Coherence provider.

Note: For J2SE clients, you can configure oracle:jrf:Memory only.

oracle:jrf:Coherence, when available.

Optional

reference.priority

See "reference.priority".

None

Optional


18.3.24 oracle/pox_http_binding_service_policy

Display Name: Pox Http Binding Service Policy

Category: Configuration

Description

Enables an endpoint to receive non-SOAP XML messages that are processed by a user defined javax.xml.ws.Provider<T>.invoke method.

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-14 lists the configuration property that you can override when enabling the policy.

Table 18-31 Configuration Property for oracle/pox_http_binding_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.25 oracle/request_processing_service_policy

Display Name: Request Processing Service Policy

Category: Configuration

Description

Enables the Web service endpoint to process incoming requests.

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-14 lists the configuration property that you can override when enabling this policy.

Table 18-32 Configuration Property for oracle/request_processing_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.26 oracle/schema_validation_policy

Display Name: Schema Validation Policy

Category: Configuration

Description

Enables the validation of request messages against the schema.

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-14 lists the configuration property that you can override when enabling this policy.

Table 18-33 Configuration Property for oracle/schema_validation_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.27 oracle/soap_request_processing_service_policy

Display Name: Soap Request Processing Service Policy

Category: Configuration

Description

Enables the processing of SOAP requests on the Web service endpoint.

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-14 lists the configuration property that you can override when enabling this policy.

Table 18-34 Configuration Property for oracle/soap_equest_processing_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.28 oracle/test_page_processing_policy

Display Name: Test Page Processing Service Policy

Category: Configuration

Description

Enables the Web Service Test Client, as described in "Using the Web Services Test Client" in Administering Web Services.

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-14 lists the configuration property that you can override when enabling this policy.

Table 18-35 Configuration Property for oracle/test_page_processing_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.3.29 oracle/ws_logging_level_policy

Display Name: Ws Logging Level Policy

Category: Configuration

Description

Sets the logging level for diagnostic logs for the Web service endpoint.

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-14 lists the configuration properties that you can override when enabling this policy.

Table 18-36 Configuration Property for oracle/ws_logging_level_policy

Name Description Default Required?

logging.level

Defines the logging level. Valid values include: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, or NULL.

None

Optional

reference.priority

See "reference.priority".

None

Optional


18.3.30 oracle/wsdl_request_processing_service_policy

Display Name: Wsdl Request Processing Service

Category: Configuration

Description

Enables access to the WSDL for the Web service.

Note:

Please note the following:

  • This configuration policy cannot be duplicated.

  • The assertion template associated with this configuration policy is not available for generating new policies.

  • This configuration policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-14 lists the configuration property that you can override when enabling this policy.

Table 18-37 Configuration Property for oracle/ws_logging_level_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.4 Management Policies

Table 18-38 summarize the predefined OWSM management policies.

Table 18-38 Predefined OWSM Management Policies

Configuration Policy Description

oracle/log_policy

Causes the request, response, and fault messages to be sent to a message log.


18.4.1 oracle/log_policy

Display Name: Log Policy

Category: Management

Description

Causes the request, response, and fault messages to be sent to a message log. By default, this policy logs the entire SOAP message for the request and just the SOAP body information for the response.

Messages are logged to the message log for the domain. For information about viewing and filtering message logs, see "Using Message Logs for Web Services" in Administering Web Services.

Note:

This policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

Table 18-39 lists the configuration property that you can override for the log policy.

Table 18-39 Configuration Property for oracle/log_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.5 MTOM Policies

Table 18-40 summarize the predefined OWSM Message Transmission Optimization Mechanism (MTOM) policies.

Table 18-40 Predefined OWSM MTOM Policies

Configuration Policy Description

oracle/no_mtom_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached WS MTOM policy at a higher scope.

oracle/wsmtom_policy

Rejects inbound messages that are not in MTOM format and verifies that outbound messages are in MTOM format.


For more information about attaching MTOM policies, see:

18.5.1 oracle/no_mtom_policy

Display Name: No Behavior MTOM Policy

Category: MTOM Attachments

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached MTOM policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-41 lists the configuration property that you can override for the no behavior policy.

Table 18-41 Configuration Property for oracle/no_mtom_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.5.2 oracle/wsmtom_policy

Display Name: WS MTOM Policy

Category: MTOM Attachments

Description

Rejects inbound messages that are not in MTOM format and verifies that outbound messages are in MTOM format. MTOM defines a method for optimizing the transmission of XML data of type xs:base64Binary or xs:hexBinary in SOAP messages. For more information about MTOM, see the following specifications for SOAP 1.2 and 1.1., respectively: http://www.w3.org/TR/2005/REC-soap12-mtom-20050125 and http://www.w3.org/Submission/2006/SUBM-soap11mtom10-20060405.

To enable MTOM on the client of the Web service, pass the javax.xml.ws.soap.MTOMFeature as a parameter when creating the Web service proxy or dispatch, as illustrated in the following example.

package examples.webservices.mtom.client;
import javax.xml.ws.soap.MTOMFeature;
public class Main {
  public static void main(String[] args) {
    String FOO = "FOO";
    MtomService service = new MtomService()
    MtomPortType port = service.getMtomPortTypePort(new MTOMFeature());
    String result = null;
    result = port.echoBinaryAsString(FOO.getBytes());
    System.out.println( "Got result: " + result );
  }
}

Note:

Please note the following:

  • This MTOM policy cannot be duplicated.

  • The assertion template associated with this policy is not available for generating new policies.

  • This policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-42 lists the configuration property that you can override for the MTOM policy.

Table 18-42 Configuration Property for oracle/wsmtom_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.6 Reliable Messaging Policies

Table 18-38 summarize the predefined OWSM reliable messaging policies.

Table 18-43 Predefined OWSM Reliable Messaging Policies

Configuration Policy Description

oracle/no_reliable_messaging_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Web Services Reliable Messaging policy at a higher scope.

oracle/no_wsrm_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Web Services Reliable Messaging policy at a higher scope.

oracle/reliable_messaging_policy

Configures Web services reliable messaging on the Web service and client.

oracle/wsrm10_policy

Configures version 1.0 of the Web Services Reliable Messaging protocol.

oracle/wsrm11_policy

Configures version 1.1 of the Web Services Reliable Messaging protocol.


For more information about attaching reliable messaging policies, see:

18.6.1 oracle/no_reliable_messaging_policy

Display Name: No Reliable Messaging Policy

Category: Reliable Messaging

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Web Services Reliable Messaging policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

For more information about reliable messaging, see "Using Web Services Atomic Transactions" in Developing Oracle Infrastructure Web Services.

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-44 lists the configuration property that you can override for the no behavior policy.

Table 18-44 Configuration Property for oracle/no_reliable_messaging_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.6.2 oracle/no_wsrm_policy

Display Name: No Behavior RM Policy

Category: Reliable Messaging

Note:

This policy has been deprecated. Oracle recommends that you use the oracle/no_reliable_messaging policy, as described in "oracle/no_reliable_messaging_policy".

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Web Services Reliable Messaging policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-45 lists the configuration property that you can override for the no behavior policy.

Table 18-45 Configuration Property for oracle/no_wsrm_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.6.3 oracle/reliable_messaging_policy

Display Name: Reliable Messaging Policy

Category: Reliable Messaging

Description

Configures Web services reliable messaging on the Web service and client. This policy can be attached to any SOAP-based Web service and client.

The Web service client will automatically detect the WSDL policy assertions at run time and use them to enable the advertised version of reliable messaging on the client. When more than one version is enabled, the generated WSDL has policy alternatives for the given versions, which enables the client to select any version. The client must consistently use the selected version of the protocol for all interaction with a given sequence.

For multi-message sequences, the client code must include explicit invocations of methods for delimiting sequence boundaries. Otherwise, every message is wrapped in its own sequence. Edit the client to enable a reliable messaging session for the messages sent to the service. The oracle.webservices.rm.client.RMSessionLifecycle interface provides the client with a mechanism for demarcating reliable messaging sequence boundaries.

Example 18-1 illustrates a servlet client. In this example, a new TestService is created. The TestPort, through which the client will communicate with the service, is retrieved. The port object is cast to a RMSessionLifecycle object and a reliable messaging session is opened on it (openSession). After the messages are sent to the service, the session is closed (closeSession).

Example 18-1 Sample Client Code for Web Services Reliable Messaging

public class ClientServlet extends HttpServlet {
 
    public void doGet(HttpServletRequest request, 
                HttpServletResponse response) throws ServletException, 
                                                          IOException {
 
        int num1 =  Integer.parseInt(request.getParameter("num1"));
        int num2 =  Integer.parseInt(request.getParameter("num2"));
        String outputStr = null;
 
        TestService service = new TestService();
        Test port = service.getTestPort();
 
        try {
        ((RMSessionLifecycle) port).openSession();
            outputStr = port.hello(inputStr);            
        } catch (Exception e) {
            e.printStackTrace();  
            outputStr = e.getMessage();
        } finally {
        ((RMSessionLifecycle) port).closeSession();
            response.getOutputStream().write(outputStr.getBytes());
        }
    }
}

Note:

Please note the following:

  • This reliable messaging policy cannot be duplicated.

  • The assertion template associated with this policy is not available for generating new policies.

  • This policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-46 lists the configuration properties that you can override when enabling the policy.

Table 18-46 Configuration Properties for oracle/reliable_messaging_policy

Name Description Default Required?

acknowledgement.interval

Maximum interval, in milliseconds, in which the destination endpoint must transmit a standalone acknowledgement.

The value specified must be a positive value and conform to the XML schema duration lexical format, PnYnMnDTnHnMnS, where nY specifies the number of years, nM specifies the number of months, nD specifies the number of days, T is the date/time separator, nH specifies the number of hours, nM specifies the number of minutes, and nS specifies the number of seconds.

This value is set at sequence creation time, and cannot be reset.

P0DT0.2S (200 miliseconds)

Optional

destination.allowed.versions

Reliable messaging version(s) supported.

When more than one version is enabled, the generated WSDL will list policy alternatives for the given versions, allowing the client to select the version. The client must use the selected version consistently for all interactions in a given sequence.

Valid values include:

  • DEFAULT (supports all versions)

  • WS_RM_1_0

  • WS_RM_1_1

  • WS_RM_1_2

DEFAULT

Optional

destination.non.buffered

Flag indicating that non-buffered receipt of messages is requested.

This value is set at sequence creation time, and cannot be reset.

false

Optional

inactivity.timeout

Number of milliseconds which defines an inactivity interval. After this amount of time, if the destination endpoint has not received a message from the source endpoint, the destination endpoint may consider the sequence to have terminated due to inactivity. The same is true for the source endpoint. By default, sequences never timeout.

Implementations of RM source and RM destination are free to manage resources associated with the sequence as desired, but there are no guarantees that the sequence will be usable by either party after the inactivity timeout expires.

The value specified must be a positive value and conform to the XML schema duration lexical format, PnYnMnDTnHnMnS, where nY specifies the number of years, nM specifies the number of months, nD specifies the number of days, T is the date/time separator, nH specifies the number of hours, nM specifies the number of minutes, and nS specifies the number of seconds.

Set at sequence creation time, and cannot be reset.

P0DT600S (600 seconds)

Optional

max.retry.count

Number of times that the JMS queue on the invoked WebLogic Server instance attempts to deliver the message to the Web service implementation until the operation is successfully invoked.

-1

Optional

optional

Flag that specifies whether reliable messaging is required.

This flag enables a service endpoint to support reliable or non-reliable communication with different clients.

If optional is set to false, then every message sent to a service must be reliable. If optional is set to true, then a client can choose to send requests with or without the WS-RM protocol. In this case, the service is required to handle either.

When used in combination with an operation-level "required" WS-RM policy, operations without an explicit WS-RM policy do not need to be called with the WS-RM protocol, but operations with an explicit WS-RM policy must be called with the WS-RM protocol.

false

Optional

reference.priority

See "reference.priority".

None

Optional

sequence.q.o.s

Delivery assurance for reliable messaging.

Valid values include:

  • EXACTLY_ONCE—Every message is delivered exactly once, without duplication.

  • AT_MOST_ONCE—Messages are delivered at most once, without duplication. It is possible that some messages may not be delivered at all.

  • AT_LEAST_ONCE—Every message is delivered at least once. It is possible that some messages are delivered more than once.

  • UNSPECIFIED

EXACTLY_ONCE

Optional

sequence.in.order

Flag that specifies that messages are delivered in the order that they were sent.

false

Optional

sequence.expiration

Amount of time after which the reliable Web service expires and does not accept any new sequence messages.

If this limit is reached before the sequence naturally completes, it will be forcibly terminated.

The value specified must be a positive value and conform to the XML schema duration lexical format, PnYnMnDTnHnMnS, where nY specifies the number of years, nM specifies the number of months, nD specifies the number of days, T is the date/time separator, nH specifies the number of hours, nM specifies the number of minutes, and nS specifies the number of seconds.

This value is set at sequence creation time, and cannot be reset.

P1D (1 day)

Optional

sequence.s.t.r

Flag that specifies that in order to secure messages in a reliable sequence, the runtime will use the wsse:SecurityTokenReference that is referenced in the CreateSequence message.

false

Optional

sequence.transport.security

Flag that specifies that in order to secure messages in a reliable sequence, the RM Sequence must be bound to the session(s) of the underlying transport-level protocol used to carry the CreateSequence and CreateSequenceResponse message.

When present, this assertion must be used in conjunction with the sp:TransportBinding assertion.

false

Optional

source.backoff.algorithm

Backoff algorithm.

If a destination endpoint does not acknowledge a sequence of messages for the time interval specified by the base retransmission interval (source.base.retransmission.interval), the configured backoff algorithm is used for timing successive retransmissions by the source endpoint, should the message continue to go unacknowledged.

Valid values include:

  • EXPONENTIAL—Successive retransmission intervals increase exponentially, based on the base retransmission interval. For example, if the base retransmission interval is 2 seconds, and the exponential backoff element is set, successive retransmission intervals if messages continue to go unacknowledged are 2, 4, 8, 16, 32, and so on.

  • CONSTANT—Same retransmission interval is used in successive retries.

  • NONE

This value is set at sequence creation time, and cannot be reset.

NONE

Optional

source.base.retransmission.interval

Interval of time that must pass before a message will be retransmitted to the RM destination (in the event a prior transmission failed.)

This interval can be used in conjunction with the backoff algorithm (source.backoff.algorithm) to specify the algorithm that is used to adjust the retransmission interval.

The value specified must be a positive value and conform to the XML schema duration lexical format, PnYnMnDTnHnMnS, where nY specifies the number of years, nM specifies the number of months, nD specifies the number of days, T is the date/time separator, nH specifies the number of hours, nM specifies the number of minutes, and nS specifies the number of seconds.

This value is set at sequence creation time, and cannot be reset.

P0DT3S

Optional

source.version

Reliable messaging version(s) supported by the RM source.

When the service WSDL contains policy alternatives for multiple RM versions, the client can select the version via this attribute. If the WSDL contains multiple RM versions and this attribute is not explicitly set, then either RM 1.2 is used or the highest version in the WSDL, if the WSDL does not contain RM 1.2.

Valid values include:

  • DEFAULT (supports all versions)

  • WS_RM_1_0

  • WS_RM_1_1

  • WS_RM_1_2

If the WSDL contains only one RM version, this attribute is ignored and the version in the WSDL is used.

Other possible values are DEFAULT, WS_RM_1_0, and WS_RM_1_1.

WS_RM_1_2

Optional

reference.priority

See "reference.priority".

None

Optional


18.6.4 oracle/wsrm10_policy

Display Name: WS RM10 Policy

Category: Reliable Messaging

Note:

This policy has been deprecated. Oracle recommends that you use the oracle/reliable_messaging policy, as described in "oracle/reliable_messaging_policy".

Description

Configures version 1.0 of the Web Services Reliable Messaging protocol. This policy can be attached to any SOAP-based client or endpoint.

The Web service client will automatically detect the WSDL policy assertions at run time and use them to enable the advertised version of reliable messaging on the client.

For multi-message sequences, the client code must include explicit invocations of methods for delimiting sequence boundaries. Otherwise, every message is wrapped in its own sequence. Edit the client to enable a reliable messaging session for the messages sent to the service. The oracle.webservices.rm.client.RMSessionLifecycle interface provides the client with a mechanism for demarcating reliable messaging sequence boundaries.

Example 18-1 illustrates a servlet client. In this example, a new TestService is created. The TestPort, through which the client will communicate with the service, is retrieved. The port object is cast to a RMSessionLifecycle object and a reliable messaging session is opened on it (openSession). After the messages are sent to the service, the session is closed (closeSession).

Note:

Please note the following:

  • This reliable messaging policy cannot be duplicated.

  • The assertion template associated with this policy is not available for generating new policies.

  • This policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-47 lists the configuration properties that you can override for the reliable messaging policy.

Table 18-47 Configuration Properties for the wsrm10_policy

Name Description Default Required

DeliveryAssurance

Delivery assurance. The following defines the delivery assurance types:

  • At Most Once—Messages are delivered at most once, without duplication.

  • At Least Once—Every message is delivered at least once. It is possible that some messages are delivered more than once.

  • Exactly Once—Every message is delivered exactly once, without duplication.

  • Messages are delivered in the order that they were sent. This delivery assurance can be combined with one of the preceding three assurances.

In addition, you can configure whether messages are delivered in the order that they were sent.

Valid values include

  • AtLeastOnce

  • AtLeastOnceInOrder

  • AtMostOnce

  • AtMoneOnceInOrder

  • ExactlyOnce

  • ExactlyOnceInOrder

  • InOrder

InOrder

Optional

StoreType

Type of message store.

Valid values include:

  • FileSystem (not fully supported)

  • InMemory

  • JDBC

InMemory

Optional

StoreName

Name of the message store.

oracle

Optional

jdbc-connection-name

JNDI reference to a JDBC data source. This field is valid only if StoreType is set to JDBC. This value takes precedence over jdbc-connection-url. The username and password will be used if both are present.

jdbc/MessagesStore

Optional

InactivityTimeout

Number of milliseconds which defines an inactivity interval. After this amount of time, if the destination endpoint has not received a message from the source endpoint, the destination endpoint may consider the sequence to have terminated due to inactivity. The same is true for the source endpoint. By default, sequences never timeout.

Implementations of RM source and RM destination are free to manage resources associated with the sequence as desired, but there are no guarantees that the sequence will be usable by either party after the inactivity timeout expires.

600000

Optional

BaseRetransmissionInterval

Interval of time that must pass before a message will be retransmitted to the RM destination (in the event a prior transmission failed.)

3000

Optional


18.6.5 oracle/wsrm11_policy

Display Name: WS RM11 Policy

Category: Reliable Messaging

Note:

This policy has been deprecated. Oracle recommends that you use the oracle/reliable_messaging policy, as described in "oracle/reliable_messaging_policy".

Description

Configures version 1.1 of the Web Services Reliable Messaging protocol. This policy can be attached to any SOAP-based client or endpoint.

The Web service client will automatically detect the WSDL policy assertions at run time and use them to enable the advertised version of reliable messaging on the client.

For multi-message sequences, the client code must include explicit invocations of methods for delimiting sequence boundaries. Otherwise, every message is wrapped in its own sequence Edit the client to enable a reliable messaging session for the messages sent to the service. The oracle.webservices.rm.client.RMSessionLifecycle interface provides the client with a mechanism for demarcating reliable messaging sequence boundaries.

Example 18-1 illustrates a servlet client. In this example, a new TestService is created. The TestPort, through which the client will communicate with the service, is retrieved. The port object is cast to a RMSessionLifecycle object and a reliable messaging session is opened on it (openSession). After the messages are sent to the service, the session is closed (closeSession).

Note:

Please note the following:

  • This reliable messaging policy cannot be duplicated.

  • The assertion template associated with this policy is not available for generating new policies.

  • This policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

An assertion template is not provided for creating this policy. For that reason, it is important that you do not delete this policy. To recreate it you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-47 lists the configuration properties that you can override for this policy

18.7 Security Policies—Authentication Only

Table 18-48 summarizes the predefined OWSM authentication only security policies.

Note:

There are no predefined policies for two authentication only scenarios: Kerberos over SSL and SPNEGO. To use these scenarios, create your own policies that use the Kerberos over SSL and SPNEGO assertion templates described in "Predefined Assertion Templates".

Table 18-48 Predefined OWSM Authentication Only Policies

Configuration Policy Description

oracle/http_basic_auth_over_ssl_client_policy

Includes credentials in the HTTP header for outbound client requests and verifies that the transport protocol is HTTPS.

oracle/http_basic_auth_over_ssl_service_policy

Uses the credentials in the HTTP header to authenticate users against the OPSS identity store and verifies that the transport protocol is HTTPS.

oracle/http_oam_token_service_policy

Verifies that the OAM agent has authenticated the user and has established an identity.

oracle/http_saml20_token_bearer_client_policy

Includes a SAML Bearer V2.0 token in the HTTP header.

oracle/http_saml20_token_bearer_service_policy

Authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header.

oracle/http_saml20_token_bearer_over_ssl_client_policy

Includes a SAML Bearer v2.0 token in the HTTP header. The SAML token with confirmation method Bearer is created automatically, and verifies that the transport protocol provides SSL message protection.

oracle/http_saml20_bearer_token_over_ssl_service_policy

Authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header, and verifies that the transport protocol provides SSL message protection.

oracle/multi_token_rest_service_policy

Enforces one of the following authentication policies, based on the token sent by the client:

  • HTTP Basic—Extracts username and password credentials from the HTTP header.

  • SAML v2.0 Bearer token in the HTTP header—Extracts SAML 2.0 Bearer assertion in the HTTP header.

  • HTTP OAM security—Verifies that the OAM agent has authenticated user and establishes identity.

  • SPNEGO over HTTP security—Extracts Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token from the HTTP header.

oracle/multi_token_over_ssl_rest_service_policy

Enforces one of the following authentication policies, based on the token sent by the client:

  • HTTP Basic over SSL—Extracts username and password credentials from the HTTP header.

  • SAML 2.0 Bearer token in the HTTP header over SSL—Extracts SAML 2.0 Bearer assertion in the HTTP header.

  • HTTP OAM security (non-SSL)—Verifies that the OAM agent has authenticated user and establishes identity.

  • SPNEGO over HTTP security (non-SSL)—Extracts SPNEGO token information from the HTTP header.

oracle/no_authentication_client_policy

When directly attached to a client endpoint or globally attached at a lower scope, effectively disables a globally attached authentication policy at a higher scope.

oracle/no_authentication_service_policy

When directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached authentication policy at a higher scope.

oracle/wss_http_token_client_policy

Includes credentials in the HTTP header for outbound client requests.

oracle/wss_http_token_service_policy

Uses the credentials in the HTTP header to authenticate users against the OPSS identity store.

oracle/wss_username_token_client_policy

Includes credentials in the WS-Security UsernameToken header for all outbound SOAP request messages.

oracle/wss_username_token_service_policy

Uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users.

oracle/wss10_saml_token_client_policy

Includes SAML tokens in outbound SOAP request messages.

oracle/wss10_saml_token_service_policy

Authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.

oracle/wss10_saml20_token_client_policy

Includes SAML tokens in outbound SOAP request messages.

oracle/wss10_saml20_token_service_policy

Authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.

oracle/wss11_kerberos_token_client_policy

Includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

oracle/wss11_kerberos_token_service_policy

Extracts the Kerberos token from the SOAP header and authenticates the user.


18.7.1 oracle/http_basic_auth_over_ssl_client_policy

Display Name: HTTP Basic Auth Over SSL Client Policy

Category: Security

Description

Includes credentials in the HTTP header for outbound client requests and verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based client endpoint.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.7.2 oracle/http_basic_auth_over_ssl_service_policy

Display Name: HTTP Basic Auth Over SSL Service Policy

Category: Security

Description

Uses the credentials in the HTTP header to authenticate users against the OPSS identity store and verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based endpoint.

Note:

This policy functions similarly to oracle/wss_http_token_over_ssl_service_policy. The difference is that oracle/wss_http_token_over_ssl_service_policy enables the include-timestamp attribute in the require-tls element to prevent replay attacks, a feature that is not applicable to RESTful services. For more information about the require-tls element, see "orasp:require-tls".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.7.3 oracle/http_oam_token_service_policy

Display Name: HTTP OAM Service Policy

Category: Security

Description

Verifies that the OAM agent has authenticated the user and has established an identity. This policy can be enforced on any HTTP-based endpoint.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

For more information, see:

18.7.4 oracle/http_saml20_token_bearer_client_policy

Display Name: HTTP Saml Bearer V2.0 Token Client Policy

Category: Security

Description

Includes a SAML Bearer V2.0 token in the HTTP header. The SAML token with confirmation method Bearer is created automatically. This policy can be enforced on any HTTP-based client endpoint.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy, override the configuration properties defined in Table 19-5, "http_saml20_token_bearer_client_template Configuration Properties". For more information, see "Overriding Policy Configuration Properties".

Design Time Considerations

Configure SAML for the Web service client at design time, as described in "How to Configure SAML Web Service Client at Design Time".

18.7.5 oracle/http_saml20_token_bearer_service_policy

Display Name: HTTP Saml Bearer V2.0 Token Service Policy

Category: Security

Description

Authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header. The credentials in the SAML token are authenticated against a SAML v2.0 login module. This policy can be enforced on any HTTP-based endpoint.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.7.6 oracle/http_saml20_token_bearer_over_ssl_client_policy

Display Name: HTTP Saml Bearer V2.0 Token Over SSL Client Policy

Category: Security

Description

Includes a SAML Bearer v2.0 token in the HTTP header. The SAML token with confirmation method Bearer is created automatically, and verifies that the transport protocol provides SSL message protection. This policy can be attached to any HTTP-based client endpoint.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

Configure SAML for the Web service client at design time, as described in "How to Configure SAML Web Service Client at Design Time".

18.7.7 oracle/http_saml20_bearer_token_over_ssl_service_policy

Display Name: HTTP Saml Bearer V2.0 Token Service Policy

Category: Security

Description

Authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header, and verifies that the transport protocol provides SSL message protection. The credentials in the SAML token are authenticated against a SAML v2.0 login module. This policy can be enforced on any HTTP-based endpoint.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.7.8 oracle/multi_token_rest_service_policy

Display Name: Multi Token RESTful Service Policy

Category: Security

Description

Enforces one of the following authentication policies, based on the token sent by the client:

  • HTTP Basic—Extracts username and password credentials from the HTTP header.

  • SAML v2.0 Bearer token in the HTTP header—Extracts SAML 2.0 Bearer assertion in the HTTP header.

  • HTTP OAM security—Verifies that the OAM agent has authenticated user and establishes identity.

  • SPNEGO over HTTP security—Extracts Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token from the HTTP header.

Assertion Templates (OR Group)

This policy contains the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:

Configuration

To configure the policy:

18.7.9 oracle/multi_token_over_ssl_rest_service_policy

Display Name: Multi Token Over SSL RESTful Service Policy

Category: Configuration

Description

Enforces one of the following authentication policies, based on the token sent by the client:

  • HTTP Basic over SSL—Extracts username and password credentials from the HTTP header.

  • SAML 2.0 Bearer token in the HTTP header over SSL—Extracts SAML 2.0 Bearer assertion in the HTTP header.

  • HTTP OAM security (non-SSL)—Verifies that the OAM agent has authenticated user and establishes identity.

  • SPNEGO over HTTP security (non-SSL)—Extracts SPNEGO token information from the HTTP header.

Assertion Templates (OR Group)

This policy contains the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:

Configuration

To configure the policy:

18.7.10 oracle/no_authentication_client_policy

Display Name: No Behavior Authentication Client Policy

Category: Security

Description

When directly attached to a client endpoint or globally attached at a lower scope, effectively disables a globally attached authentication policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the authentication assertion, those assertions are disabled as well. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-49 lists the configuration property that you can override for the no behavior policy.

Table 18-49 Configuration Property for oracle/no_authentication_client_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.7.11 oracle/no_authentication_service_policy

Display Name: No Behavior Authentication Service Policy

Category: Security

Description

When directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached authentication policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the authentication assertion, those assertions are disabled also. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-50 lists the configuration property that you can override for the no behavior policy.

Table 18-50 Configuration Property for oracle/no_authentication_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.7.12 oracle/wss_http_token_client_policy

Display Name: Wss HTTP Token Client Policy

Category: Security

Description

Includes credentials in the HTTP header for outbound client requests. The client must pass the credentials in the HTTP header. This policy can be enforced on any HTTP-based client.

Note:

Currently only HTTP basic authentication is supported.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.7.13 oracle/wss_http_token_service_policy

Description

Uses the credentials in the HTTP header to authenticate users against the OPSS identity store. This policy can be enforced on any HTTP-based endpoint.

The Web service must authenticate the supplied username and password credentials against the configured authentication source.

Note:

Currently only HTTP basic authentication is supported.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.7.14 oracle/wss_username_token_client_policy

Display Name: Wss Username Token Client Policy

Category: Security

Description

Includes credentials in the WS-Security UsernameToken header for all outbound SOAP request messages. This policy can be attached to any SOAP-based client.

This policy supports plain text passwords. This client policy is analogous to the oracle/wss_username_token_service_policy service endpoint policy.

Note:

This policy transmits the password in clear text. You should use this policy in low security situations only, or when you know that the transport is protected using some other mechanism.

Alternatively, consider:

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.7.15 oracle/wss_username_token_service_policy

Display Name: Wss Username Token Service Policy

Category: Security

Description

Uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users. This policy supports plain text passwords.

Note:

This policy transmits the password in clear text. You should use this policy in low security situations only, or when you know that the transport is protected using some other mechanism.

Alternatively, consider:

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.7.16 oracle/wss10_saml_token_client_policy

Display Name: Wss10 SAML Token Client Policy

Category: Security

Description

Includes SAML tokens in outbound SOAP request messages. The policy can be enforced on any SOAP-based client.

Note:

This policy is not secure and is provided for demonstration purposes only. Although the SAML issuer name is present, the SAML token is not endorsed. Therefore, it is possible to spoof the message.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.7.17 oracle/wss10_saml_token_service_policy

Display Name: Wss10 SAML Token Service Policy

Category: Security

Description

Authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. This policy can be enforced on any SOAP-based endpoint.

Note:

This policy is not secure and is provided for demonstration purposes only. Although the SAML issuer name is present, the SAML token is not endorsed. Therefore, it is possible to spoof the message.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.7.18 oracle/wss10_saml20_token_client_policy

Display Name: Wss10 SAML V2.0 Token Client Policy

Category: Security

Description

Includes SAML tokens in outbound SOAP request messages. The policy can be enforced on any SOAP-based client.

Note:

This policy is not secure and is provided for demonstration purposes only. Although the SAML issuer name is present, the SAML token is not endorsed. Therefore, it is possible to spoof the message.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.7.19 oracle/wss10_saml20_token_service_policy

Display Name: Wss10 SAML V2.0 Token Service Policy

Category: Security

Description

Authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. This policy can be enforced on any SOAP-based endpoint.

Note:

This policy is not secure and is provided for demonstration purposes only. Although the SAML issuer name is present, the SAML token is not endorsed. Therefore, it is possible to spoof the message.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.7.20 oracle/wss11_kerberos_token_client_policy

Display Name: Wss11 Kerberos Token Client Policy

Category: Security

Description

Includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with MIT and Active Directory KDCs. This policy can be enforced on any SOAP-based client.

Service principal names (SPN) are a key component in Kerberos authentication. SPNs are unique identifiers for services running on servers. Every service that uses Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. If an SPN is not set for a service, clients have no way of locating that service and Kerberos authentication is not possible.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

  • Configure Kerberos, as described in "Configuring Kerberos Tokens".

  • Set the service principal name (service.principal.name). The service principal name specifies the name of the service principal for which the client requests a ticket from the KDC. For more information, see "Overriding Policy Configuration Properties".

  • If the Kerberos authentication is successful, then send the obtained Kerberos ticket and authenticator to the Web service enclosed in a BinarySecurityToken element in the SOAP Security header.

18.7.21 oracle/wss11_kerberos_token_service_policy

Display Name: Wss11 Kerberos Token Service Policy

Category: Security

Description

Extracts the Kerberos token from the SOAP header and authenticates the user. This policy is enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard. The container must have the Kerberos infrastructure configured through OPSS. This policy is compatible with MIT and Active Directory KDCs. This policy can be attached to any SOAP-based endpoint.

Service principal names (SPN) are a key component in Kerberos authentication. SPNs are unique identifiers for services running on servers. Every service that uses Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. If an SPN is not set for a service, clients have no way of locating that service and Kerberos authentication is not possible.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.8 Security Policies—Authorization Only

Table 18-51 summarize the predefined OWSM authorization only security policies.

Table 18-51 Predefined OWSM Authorization Only Policies

Configuration Policy Description

oracle/binding_authorization_denyall_policy

Provides a simple role-based authorization policy based on the authenticated subject at the SOAP binding level.

oracle/binding_authorization_permitall_policy

Provides a simple role-based authorization for the request based on the authenticated Subject at the SOAP binding level.

oracle/binding_permission_authorization_policy

Provides a permission-based authorization policy based on the authenticated subject.

oracle/component_authorization_denyall_policy

Provides a simple role-based authorization policy based on the authenticated subject.

oracle/component_authorization_permitall_policy

Provides a simple role-based authorization policy based on the authenticated subject.

oracle/component_permission_authorization_policy

Provides a permission-based authorization policy based on the authenticated Subject.

oracle/no_authorization_component_policy

When directly attached to a SOA component or globally attached at a lower scope, effectively disables a globally attached authorization policy at a higher scope.

oracle/no_authorization_service_policy

When directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached authorization policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the authorization assertion, those assertions are disabled also. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

oracle/whitelist_authorization_policy

Accepts requests only if one of the following conditions is true:

  • The authenticated token is SAML Sender Vouches.

  • The user is in a particular role (the default is trustedEnterpriseRole, that establishes the user as a trusted entity

  • The request is coming from within a private network.


18.8.1 oracle/binding_authorization_denyall_policy

Display Name: Binding Authorization DenyAll Policy

Category: Security

Description

Provides a simple role-based authorization policy based on the authenticated Subject at the SOAP binding level. This policy denies all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SOAP-based endpoint.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.8.2 oracle/binding_authorization_permitall_policy

Display Name: Binding Authorization PermitAll Policy

Category: Security

Description

Provides a simple role-based authorization for the request based on the authenticated Subject at the SOAP binding level. This policy permits all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SOAP-based endpoint.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.8.3 oracle/binding_permission_authorization_policy

Display Name: Binding Permission Based Authorization Policy

Category: Security

Description

Provides a permission-based authorization policy based on the authenticated subject. This policy should follow an authentication policy where the Subject is established and can be attached to any SOAP-based endpoint.

This policy ensures that the subject has permission to perform the operation. To do this, the Authorization Policy executor leverages OPSS to check if the authenticated subject has been granted oracle.wsm.security.WSFunctionPermission (or whatever permission class is specified in Permission Check Class) using the Resource Pattern and Action Pattern as parameters. For more information, see "Determining Authorization Permissions".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.8.4 oracle/component_authorization_denyall_policy

Display Name: Component Authorization DenyAll Policy

Category: Security

Description

Provides a simple role-based authorization policy based on the authenticated subject. This policy denies all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SCA-based endpoint.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.8.5 oracle/component_authorization_permitall_policy

Display Name: Component Authorization PermitAll Policy

Category: Security

Description

Provides a simple role-based authorization policy based on the authenticated subject. This policy permits all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SCA-based endpoint.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.8.6 oracle/component_permission_authorization_policy

Display Name: Component Permission Based Authorization Policy

Category: Security

Description

Provides a permission-based authorization policy based on the authenticated Subject. This policy should follow an authentication policy where the Subject is established and can be attached to any SCA-based endpoint.

This policy ensures that the subject has permission to perform the operation. To do this, the Authorization Policy executor leverages OPSS to check if the authenticated subject has been granted oracle.wsm.security.WSFunctionPermission (or whatever permission class is specified in Permission Check Class) using the Resource Pattern and Action Pattern as parameters. Resource Pattern and Action Pattern are used to identify if the authorization assertion is to be enforced for this particular request. Access is allowed if the authenticated subject has been granted WSFunctionPermission. For more information, see "Determining Authorization Permissions".

You can grant the WSFunctionPermission permission to a user, a group, or an application role. If you grant WSFunctionPermission to a user or group it will apply to all applications that are deployed in the domain.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.8.7 oracle/no_authorization_component_policy

Display Name: No Behavior Authorization Component Policy

Category: Security

Description

When directly attached to a SOA component or globally attached at a lower scope, effectively disables a globally attached authorization policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the authorization assertion, those assertions are disabled as well. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-52 lists the configuration property that you can override for the no behavior policy.

Table 18-52 Configuration Property for oracle/no_authorization_component_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.8.8 oracle/no_authorization_service_policy

Display Name: No Behavior Authorization Service Policy

Category: Security

Description

When directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached authorization policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the authorization assertion, those assertions are disabled also. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-53 lists the configuration property that you can override for the no behavior policy.

Table 18-53 Configuration Property for oracle/no_authorization_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.8.9 oracle/whitelist_authorization_policy

Display Name: Constraints Based Authorization Policy

Category: Security

Description

This policy is a special case of role based authorization policy. This policy can be attached to any SOAP-based endpoint.

Accepts requests only if one of the following conditions is true:

  • The authenticated token is SAML Sender Vouches.

  • The user is in a particular role (the default is trustedEnterpriseRole, that establishes the user as a trusted entity

  • The request is coming from within a private network.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

  • To successfully invoke a service that has the whitelist_authorization_policy attached, you must do one of the following:

    • If the service accepts SAML sender vouches for authentication (for example, a SAML token service policy is attached to the service), you must attach the corresponding SAML token client policy to the client.

    • If the service accepts username/password for authentication (for example, a username token service policy is attached to the service), you must attach the corresponding username token client policy to the client and make sure that the client is in a trusted role as defined in the policy. (By default, the role defined in the predefined policy is trustedEnterpriseRole. You need to modify this role in the predefined policy.)

    • If the service is invoked using Oracle HTTP Server, and it is configured to indicate that the request came from a private internal network (see "Configuring the Oracle HTTP Server to Specify the Request Origin"), then a client on the internal network only has to attach the corresponding username token client policy at the client side.

  • To set up OPSS:

    • If you specify one or more of the WebLogic Server enterprise roles, the authenticated subject must already have that role. You use the WebLogic Server Administration Console to grant a role to a user or group, as described in the Oracle WebLogic Server Administration Console Online Help.

    • You must configure a WebLogic Authentication provider, as described in "Configure Authentication and Identity Assertion providers" in the Oracle WebLogic Server Administration Console Online Help.

    • The Constraint Pattern property setting contains a requestOrigin field that specifies whether the request originated from an internal or external network. This property is valid only when using Oracle HTTP Server and the Oracle HTTP Server administrator has added a custom VIRTUAL_HOST_TYPE header to the request. To configure the Oracle HTTP Server, see "Configuring the Oracle HTTP Server to Specify the Request Origin".

18.9 Security Policies—Message Protection Only

Table 18-54 summarize the predefined OWSM message protection only security policies.

Table 18-54 Predefined OWSM SOAP Over JMS Transport Policies

Configuration Policy Description

oracle/no_messageprotection_client_policy

When directly attached to a client endpoint or globally attached at a lower scope, effectively disables a globally attached message protection policy at a higher scope.

oracle/no_messageprotection_service_policy

When directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached message protection policy at a higher scope.

oracle/wss10_message_protection_client_policy

Provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

oracle/wss10_message_protection_service_policy

Enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

oracle/wss11_message_protection_client_policy

Provides message integrity and confidentiality for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

oracle/wss11_message_protection_service_policy

Enforces message integrity and confidentiality for inbound SOAP requests in accordance with the WS-Security 1.1 standard.


18.9.1 oracle/no_messageprotection_client_policy

Display Name: No Behavior Message Protection Client Policy

Category: Security

Description

When directly attached to a client endpoint or globally attached at a lower scope, effectively disables a globally attached message protection policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the message protection assertion, those assertions are disabled also. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-55 lists the configuration property that you can override for the no behavior policy.

Table 18-55 Configuration Property for oracle/no_messageprotection_client_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.9.2 oracle/no_messageprotection_service_policy

Display Name: No Behavior Message Protection Service Policy

Category: Security

Description

When directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached message protection policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the message protection assertion, those assertions are disabled also. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

This policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-56 lists the configuration property that you can override for the no behavior policy.

Table 18-56 Configuration Property for oracle/no_messageprotection_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.9.3 oracle/wss10_message_protection_client_policy

Display Name: Wss10 Message Protection Client Policy

Category: Security

Description

Provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

This policy uses the WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-2 shows the typical structure of a signature included in the Security header. In this example, the body element of the SOAP message is signed.

Example 18-2 WS-Security 1.0 Message Integrity of SOAP Message

<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
 <dsig:SignedInfo>
  <dsig:CanonicalizationMethod
   Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <dsig:Reference URI="#Timestamp-...">
     <dsig:Transforms>
       <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     </dsig:Transforms>
     <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
     <dsig:DigestValue>...</dsig:DigestValue>
  </dsig:Reference>
  <dsig:Reference URI="#Body-...">
     <dsig:Transforms>
         <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     </dsig:Transforms>
     <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
     <dsig:DigestValue>...</dsig:DigestValue>
  </dsig:Reference>
  <dsig:Reference URI="#KeyInfo-...">
   <dsig:Transforms>
     <dsig:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
       <TransformationParameters xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
       <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
       </TransformationParameters>
     </dsig:Transform>
   </dsig:Transforms>
   <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
   <dsig:DigestValue>...</dsig:DigestValue>
  </dsig:Reference>
 </dsig:SignedInfo>
 <dsig:SignatureValue>....</dsig:SignatureValue>
 <dsig:KeyInfo Id="KeyInfo-...">
     <wsse:SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
...</wsse:KeyIdentifier>
     </wsse:SecurityTokenReference>
 </dsig:KeyInfo>
</dsig:Signature>

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.

Example 18-3 WS-Security 1.0 Message Confidentiality of SOAP Message

<env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-JA9fsCRnqbFJ0ocBAMKb7g22">
 <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content" Id="...">
  <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
  <xenc:CipherData>
      <xenc:CipherValue>...</xenc:CipherValue>
  </xenc:CipherData>
 </xenc:EncryptedData>
</env:Body>

18.9.4 oracle/wss10_message_protection_service_policy

Display Name: Wss10 Message Protection Service Policy

Category: Security

Description

Enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

The messages are protected using WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.9.5 oracle/wss11_message_protection_client_policy

Display Name: Wss11 Message Protection Client Policy

Category: Security

Description

Provides message integrity and confidentiality for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

Symmetric key technology is an encryption method that uses the same shared key to encrypt and decrypt data. The symmetric key is used to sign the message.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

  • Override configuration settings, as described in "Overriding Client Policy Configuration Properties at Design Time".

  • Set up the Web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and Web service's respective keystores already contain digital certificates containing each other's public key.

  • This policy uses symmetric key technology, which is an encryption method that uses the same shared key to encrypt and decrypt data. The symmetric key is used to sign the message.

  • Configure the policy assertion for message signing, message encryption, or both.

Example 18-4 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.

Example 18-4 WS-Security 1.1 Message Confidentiality of SOAP Message

<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK-...">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" />
</xenc:EncryptionMethod>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">...</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue> 
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#_..." /> 
</xenc:ReferenceList>
</xenc:EncryptedKey>
<env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body-...">
  <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content" Id="...">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
    <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
      <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsse:Reference URI="#EK-..." ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" />
      </wsse:SecurityTokenReference>
    </dsig:KeyInfo>
    <xenc:CipherData>
        <xenc:CipherValue>...</xenc:CipherValue>
    </xenc:CipherData>
  </xenc:EncryptedData>
</env:Body>

18.9.6 oracle/wss11_message_protection_service_policy

Display Name: Wss11 Message Protection Service Policy

Category: Security

Description

Enforces message integrity and confidentiality for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10 Security Policies—Messages Protection and Authentication

Table 18-57 summarize the predefined OWSM message protection and authentication security policies.

Table 18-57 Predefined OWSM Message Protection and Authentication Policies

Configuration Policy Description

oracle/pii_security_policy

Reserved for future use.

oracle/sts_trust_config_client_policy

Specifies the STS client configuration information that is used to invoke the STS for token exchange.

oracle/sts_trust_config_service_policy

Specifies the STS configuration information that is used to invoke the STS for token exchange.

oracle/wss_saml_bearer_or_username_token_service_policy

Enforces one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:

  • SAML token within WS-Security SOAP header using the bearer confirmation type.

  • WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.

oracle/wss_saml_or_username_token_service_policy

Enforces one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:

  • SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

  • WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.

oracle/wss_saml_or_username_token_over_ssl_service_policy

Enforces message protection (integrity and confidentiality) and one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:

  • SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

  • WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.

oracle/wss_saml_token_bearer_client_policy

Includes SAML tokens in outbound SOAP request messages.

oracle/wss_saml_token_bearer_over_ssl_client_policy

Includes SAML tokens in outbound SOAP request messages.

oracle/wss_saml_token_bearer_over_ssl_service_policy

Authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.

oracle/wss_http_token_over_ssl_client_policy

Includes credentials in the HTTP header for outbound client requests, authenticates users against the OPSS identity store, and verifies that the transport protocol is HTTPS.

oracle/wss_http_token_over_ssl_service_policy

Extracts the credentials in the HTTP header and authenticates users against the OPSS identity store, and verifies that the transport protocol is HTTPS.

oracle/wss_saml_token_over_ssl_client_policy

Includes SAML tokens in outbound WS-Security SOAP headers using the sender-vouches confirmation type.

oracle/wss_saml_token_over_ssl_service_policy

Enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type, and verifies that the transport protocol provides SSL message protection.

oracle/wss_saml20_token_bearer_over_ssl_client_policy

Includes SAML tokens in outbound SOAP request messages, and verifies that the transport protocol provides SSL message protection.

oracle/wss_saml20_token_bearer_over_ssl_service_policy

Authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header, and verifies that the transport protocol provides SSL message protection.

oracle/wss_saml20_token_over_ssl_client_policy

Includes SAML tokens in outbound WS-Security SOAP headers using the sender-vouches confirmation type, and verifies that the transport protocol provides SSL message protection.

oracle/wss_saml20_token_over_ssl_service_policy

Enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type, and verifies that the transport protocol provides SSL message protection.

oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy

Inserts a SAML bearer assertion issued by a trusted STS.

oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy

Authenticates a SAML bearer assertion issued by a trusted STS.

oracle/wss_username_token_over_ssl_client_policy

Includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages, and verifies that the transport protocol provides SSL message protection.

oracle/wss_username_token_over_ssl_service_policy

Uses the credentials in the WS-Security UsernameToken SOAP header to authenticate users against the OPSS configured identity store, and verifies that the transport protocol provides SSL message protection.

oracle/wss_username_token_over_ssl_wssc_client_policy

Includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages, and verifies that the transport protocol provides SSL message protection.

oracle/wss_username_token_over_ssl_wssc_service_policy

Uses the credentials in the WS-Security UsernameToken SOAP header to authenticate users against the OPSS configured identity store, and verifies that the transport protocol provides SSL message protection.

oracle/wss10_saml_hok_token_with_message_protection_client_policy

Provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

oracle/wss10_saml_hok_token_with_message_protection_service_policy

Enforces message protection (integrity and confidentiality) and SAML holder of key based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

oracle/wss10_saml_token_with_message_integrity_client_policy

Provides message-level integrity and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

oracle/wss10_saml_token_with_message_integrity_service_policy

Enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

oracle/wss10_saml_token_with_message_protection_client_policy

Provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

oracle/wss10_saml_token_with_message_protection_service_policy

Enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

oracle/wss10_saml_token_with_message_protection_ski_basic256_client_policy

Provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

oracle/wss10_saml_token_with_message_protection_ski_basic256_service_policy

Enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

oracle/wss10_saml20_token_with_message_protection_client_policy

Provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

oracle/wss10_saml20_token_with_message_protection_service_policy

Enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

oracle/wss10_username_id_propagation_with_msg_protection_client_policy

Provides message protection (integrity and confidentiality) and identity propagation for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

oracle/wss10_username_id_propagation_with_msg_protection_service_policy

Enforces message level protection (i.e., integrity and confidentiality) and identity propagation for inbound SOAP requests using mechanisms described in WS-Security 1.0.

oracle/wss10_username_token_with_message_protection_client_policy

Provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

oracle/wss10_username_token_with_message_protection_service_policy

Enforces message protection (message integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

oracle/wss10_username_token_with_message_protection_ski_basic256_client_policy

Provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

oracle/wss10_username_token_with_message_protection_ski_basic256_service_policy

Enforces message protection (message integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

oracle/wss10_x509_token_with_message_protection_client_policy

Provides message protection (integrity and confidentiality) and certificate credential population for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

oracle/wss10_x509_token_with_message_protection_service_policy

Enforces message protection (integrity and confidentiality) and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

oracle/wss11_kerberos_token_with_message_protection_client_policy

Includes a Kerberos token in the WS-Security header, and uses Kerberos keys to guarantee message integrity and confidentiality, in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

oracle/wss11_kerberos_token_with_message_protection_service_policy

Enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy

Includes a Kerberos token in the WS-Security header, and uses Kerberos keys to guarantee message integrity and confidentiality, in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

oracle/wss11_kerberos_token_with_message_protection_basic128_service_policy

Enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

oracle/wss11_saml_or_username_token_with_message_protection_service_policy

Enforces message protection (integrity and confidentiality) and one of the following authentication policies, based on whether the client uses a SAML, username, or HTTP token, respectively:

  • SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

  • Username token authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

  • SAML-based authentication using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header. Verifies that the transport protocol provides SSL message protection.

  • Username token authentication using the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the configured identity store. Verifies that the transport protocol provides SSL message protection.

  • HTTP authentication using credentials extracted from the HTTP header to authenticate users against the configured identity store. Verifies that the transport protocol is HTTPS.

oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy

Enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.

oracle/wss11_saml_token_with_message_protection_client_policy

Enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.

oracle/wss11_saml_token_with_message_protection_client_policy

Enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.

oracle/wss11_saml_token_with_message_protection_wssc_client_policy

Enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.

oracle/wss11_saml_token_with_message_protection_wssc_reauthn_client_policy

Enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.

oracle/wss11_saml_token_with_message_protection_wssc_reauthn_service_policy

Enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.

oracle/wss11_saml20_token_with_message_protection_client_policy

Enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1.

oracle/wss11_saml20_token_with_message_protection_service_policy

Enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy

Inserts a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using proof key material provided by the STS.

oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy

Authenticates a SAML HOK assertion issued by a trusted STS (Security Token Service).

oracle/wss11_username_token_with_message_protection_client_policy

Provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.

oracle/wss11_username_token_with_message_protection_service_policy

Enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

oracle/wss11_username_token_with_message_protection_wssc_client_policy

Provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

oracle/wss11_username_token_with_message_protection_wssc_service_policy

Enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

oracle/wss11_x509_token_with_message_protection_client_policy

Provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

oracle/wss11_x509_token_with_message_protection_service_policy

Enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

oracle/wss11_x509_token_with_message_protection_wssc_client_policy

Provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

oracle/wss11_x509_token_with_message_protection_wssc_service_policy

Enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.


18.10.1 oracle/pii_security_policy

Display Name: PII Security Policy

Category: Security

Description

Reserved for future use.

18.10.2 oracle/sts_trust_config_client_policy

Display Name: STS Trust Configuration Client Policy

Category: Security

Description

Specifies the STS client configuration information that is used to invoke the STS for token exchange.

Use this policy only if you are not using Automatic (Client STS) Policy Configuration, as described in "Setting Up Automatic Policy Configuration for STS"

If you attach multiple instances of oracle/sts_trust_config_client_policy, no error is generated. However, only one instance is enforced, and you cannot control which instance that is.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time, you can set up and attach the oracle/sts_trust_config_client_policy policy programmatically, as shown in Example 18-5 and Example 18-6.

Example 18-5 Sample JSE Proxy Client

URL endpointUrl = new URL(getWebConnectionString() + "/jaxws-test-service/jaxws-test-port");
 
ServiceDelegateImpl client = new ServiceDelegateImpl(
    new  URL(endpointUrl.toString() + "?WSDL"),
    new QName("http://jaxws.example.com/targetNamespace/JaxwsService", "JaxwsService"),
    OracleService.class);
 
JaxwsService port = client.getPort(
    new  QName("http://jaxws.example.com/targetNamespace/JaxwsService", "JaxwsServicePort"),
    test.jaxws.client.JaxwsService.class);
 
((BindingProvider)port).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY,endpointUrl.toExternalForm());
((BindingProvider)port).getRequestContext().put(ClientConstants.CLIENT_CONFIG,
    fileToElement(new File("./jaxws/client/dat/oracle-webservice-client.xml")));

The related oracle-webservice-client.xml file with the STS config policy and STS issue policy is shown in Example 18-6.

Example 18-6 Sample oracle-webservice-client.xml

<?xml version="1.0" encoding="UTF-8"?>
<oracle-webservice-clients>
    <webservice-client>
        <port-info>
            <policy-references>
                <policy-reference uri="oracle/sts_trust_config_client_policy" category="security"/>
                <policy-reference uri="oracle/wss11_sts_issue_saml_hok_with_message_protection_client_policy " category="security"/>
             </policy-references>
        </port-info>
    </webservice-client>
</oracle-webservice-clients>

18.10.3 oracle/sts_trust_config_service_policy

Display Name: STS Trust Configuration Service Policy

Category: Security

Description

Specifies the STS configuration information that is used to invoke the STS for token exchange.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.4 oracle/wss_saml_bearer_or_username_token_service_policy

Display Name: WSSecurity SAML Token Bearer or WSSecurity UserName Token

Category: Security

Description

Enforces one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:

  • SAML token within WS-Security SOAP header using the bearer confirmation type.

  • WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.

Assertion Templates (OR Group)

This policy contains the following assertions as an OR group—meaning either type of policy can be enforced by a client:

18.10.5 oracle/wss_saml_or_username_token_service_policy

Display Name: Wss SAML Token or Wss Username Token Service Policy

Category: Security

Description

Enforces one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:

  • SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

  • WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.

Assertion Templates (OR Group)

This policy contains the following assertion templates, as an OR group—meaning either one of the tokens can be sent by the client:

Configuration

For information about configuring this policy, refer to the following policy descriptions:

18.10.6 oracle/wss_saml_or_username_token_over_ssl_service_policy

Display Name: Wss SAML Token or Wss Username Token Over SSL Service Policy

Category: Security

Description

Enforces message protection (integrity and confidentiality) and one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:

  • SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

  • WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.

Assertion Templates (OR Group)

This policy contains the following assertion templates as an OR group—meaning either one of the tokens can be sent by the client:

Configuration

For information about configuring this policy, refer to the following policy descriptions:

18.10.7 oracle/wss_saml_token_bearer_client_policy

Display Name: Wss SAML Token (confirmation method as bearer) Client Policy

Category: Security

Description

Includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is created automatically.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.10.8 oracle/wss_saml_token_bearer_over_ssl_client_policy

Display Name: Wss SAML Token (confirmation method as bearer) Over SSL Client Policy

Category: Security

Description

Includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is created automatically. The policy also verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based client.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.10.9 oracle/wss_saml_token_bearer_over_ssl_service_policy

Display Name: Wss SAML Token (confirmation method as bearer) Over SSL Service Policy

Category: Security

Description

Authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.

The SAML login module extracts the username from the verified token and passes it to the Authentication provider.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.10 oracle/wss_http_token_over_ssl_client_policy

Display Name: Wss HTTP Token Over SSL Client Policy

Category: Security

Description

Includes credentials in the HTTP header for outbound client requests, authenticates users against the OPSS identity store, and verifies that the transport protocol is HTTPS. The client must pass the credentials in the HTTP header.

Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based client.

Note:

Currently only HTTP basic authentication is supported.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.10.11 oracle/wss_http_token_over_ssl_service_policy

Display Name: Wss HTTP Token Over SSL Service Policy

Category: Security

Description

Extracts the credentials in the HTTP header and authenticates users against the OPSS identity store, and verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based endpoint.

Notes:

This policy functions similarly to oracle/http_basic_auth_over_ssl_service_policy. The only difference is that oracle/wss_http_token_over_ssl_service_policy enables the include-timestamp attribute in the require-tls element to prevent replay attacks, which is not applicable to RESTful services. For more information about the require-tls element, see "orasp:require-tls".

Currently only HTTP basic authentication is supported.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.12 oracle/wss_saml_token_over_ssl_client_policy

Display Name: Wss SAML Token Over SSL Client Policy

Category: Security

Description

Includes SAML tokens in outbound WS-Security SOAP headers using the sender-vouches confirmation type. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based client.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.10.13 oracle/wss_saml_token_over_ssl_service_policy

Display Name: Wss SAML Token Over SSL Service Policy

Category: Security

Description

Enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type, and verifies that the transport protocol provides SSL message protection. The SAML token is mapped to a user in the configured identity store. This policy can be enforced on any SOAP-based endpoint.

The SAML login module extracts the username from the verified token and passes it to the Authentication provider.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.14 oracle/wss_saml20_token_bearer_over_ssl_client_policy

Display Name: Wss SAML V2.0 Token (confirmation method as bearer) Over SSL Client Policy

Category: Security

Description

Includes SAML tokens in outbound SOAP request messages, and verifies that the transport protocol provides SSL message protection. The SAML token with confirmation method Bearer is created automatically. This policy can be attached to any SOAP-based client.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.10.15 oracle/wss_saml20_token_bearer_over_ssl_service_policy

Display Name: Wss SAML V2.0 Token (confirmation method as bearer) Over SSL Service Policy

Category: Security

Description

Authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header, and verifies that the transport protocol provides SSL message protection. The credentials in the SAML token are authenticated against a SAML login module. This policy can be enforced on any SOAP-based endpoint.

The SAML login module extracts the username from the verified token and passes it to the Authentication provider.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.16 oracle/wss_saml20_token_over_ssl_client_policy

Display Name: Wss SAML V2.0 Token Over SSL Client Policy

Category: Security

Description

Includes SAML tokens in outbound WS-Security SOAP headers using the sender-vouches confirmation type, and verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based client.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.10.17 oracle/wss_saml20_token_over_ssl_service_policy

Display Name: Wss SAML V2.0 Token Over SSL Service Policy

Category: Security

Description

Enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type, and verifies that the transport protocol provides SSL message protection. The SAML token is mapped to a user in the configured identity store. This policy can be enforced on any SOAP-based endpoint.

The SAML login module extracts the username from the verified token and passes it to the Authentication provider.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.18 oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy

Display Name: Wss Issued Token with Saml Bearer Over SSL Client Policy

Category: Security

Description

Inserts a SAML bearer assertion issued by a trusted STS. Messages are protected using SSL.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.10.19 oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy

Display Name: Wss Issued Token with Saml Bearer Over SSL Service Policy

Category: Security

Description

Authenticates a SAML bearer assertion issued by a trusted STS. Messages are protected using SSL.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

See also "WS-Trust Assertion Templates" for more information about the assertion.

Configuration

To configure the policy:

18.10.20 oracle/wss_username_token_over_ssl_client_policy

Display Name: Wss Username Token Over SSL Client Policy

Category: Security

Description

Includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages, and verifies that the transport protocol provides SSL message protection. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.10.21 oracle/wss_username_token_over_ssl_service_policy

Display Name: Wss Username Token Over SSL Service Policy

Category: Security

Description

Uses the credentials in the WS-Security UsernameToken SOAP header to authenticate users against the OPSS configured identity store, and verifies that the transport protocol provides SSL message protection. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.22 oracle/wss_username_token_over_ssl_wssc_client_policy

Display Name: Wss Username Token Over SSL with secure conversation enabled Client Policy

Category: Security

Description

Includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages, and verifies that the transport protocol provides SSL message protection. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.

This policy has secure conversation enabled. For more information, see Chapter 11, "Configuring Secure Conversation".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.10.23 oracle/wss_username_token_over_ssl_wssc_service_policy

Display Name: Wss Username Token Over SSL with secure conversation enabled Service Policy

Category: Security

Description

Uses the credentials in the WS-Security UsernameToken SOAP header to authenticate users against the OPSS configured identity store, and verifies that the transport protocol provides SSL message protection. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.

This policy has secure conversation enabled. For more information, see Chapter 11, "Configuring Secure Conversation".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.24 oracle/wss10_saml_hok_token_with_message_protection_client_policy

Display Name: Wss10 SAML Holder-Of-Key Token With Message Protection Client Policy

Category: Security

Description

Provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. A SAML token, included in the SOAP message, is used in SAML-based authentication with holder of key confirmation.

The policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-2 shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.

18.10.25 oracle/wss10_saml_hok_token_with_message_protection_service_policy

Display Name: Wss10 SAML Holder-Of-Key Token With Message Protection Service Policy

Category: Security

Description

Enforces message protection (integrity and confidentiality) and SAML holder of key based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.26 oracle/wss10_saml_token_with_message_integrity_client_policy

Display Name: Wss10 SAML Token With Message Integrity Client Policy

Category: Security

Description

Provides message-level integrity and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. A SAML token, included in the SOAP message, is used in SAML-based authentication with sender vouches confirmation.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies and SHA-1 hashing algorithm for message integrity. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-2 shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.

18.10.27 oracle/wss10_saml_token_with_message_integrity_service_policy

Display Name: Wss10 SAML Token With Message Integrity Service Policy

Category: Security

Description

Enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. It extracts the SAML token from the WS-Security binary security token or the current Java Authentication and Authorization Service (JAAS) subject, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies and SHA-1 hashing algorithm for message integrity. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.28 oracle/wss10_saml_token_with_message_protection_client_policy

Display Name: Wss10 SAML Token With Message Protection Client Policy

Category: Security

Description

Provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-2 shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.

18.10.29 oracle/wss10_saml_token_with_message_protection_service_policy

Display Name: Wss10 SAML Token With Message Protection Service Policy

Category: Security

Description

Enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.30 oracle/wss10_saml_token_with_message_protection_ski_basic256_client_policy

Display Name: Wss10 SAML Token With Message Protection SKI Basic 256 Client Policy

Category: Security

Description

Provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

The policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Note:

Due to the import restrictions of some countries, the jurisdiction policy files distributed with the JDK 7 software have built-in restrictions on available cryptographic strength.

By default, policies that use the basic192 algorithms and above do not work with the bundled JRE/JDK. To use these algorithms, you need to download the JCE Extension jars (Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7) file from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html.

To use these policy files, you need to replace the following JAR files in $JAVA_HOME/jre/lib/security with the corresponding JARs from the JCE Extension:

  • US_export_policy.jar

  • local_policy.jar

You should back up your existing JAR files before replacing them.

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-2 shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.

18.10.31 oracle/wss10_saml_token_with_message_protection_ski_basic256_service_policy

Display Name: Wss10 SAML Token With Message Protection SKI Basic 256 Service Policy

Category: Security

Description

Enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

The policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites"

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Note:

Due to the import restrictions of some countries, the jurisdiction policy files distributed with the JDK 7 software have built-in restrictions on available cryptographic strength.

By default, policies that use the basic192 algorithms and above do not work with the bundled JRE/JDK. To use these algorithms, you need to download the JCE Extension jars (Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7) file from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html.

To use these policy files, you need to replace the following JAR files in $JAVA_HOME/jre/lib/security with the corresponding JARs from the JCE Extension:

  • US_export_policy.jar

  • local_policy.jar

You should back up your existing JAR files before replacing them.

Configuration

To configure the policy:

18.10.32 oracle/wss10_saml20_token_with_message_protection_client_policy

Display Name: Wss10 SAML V2.0 Token With Message Protection Client Policy

Category: Security

Description

Provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-2 shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.

18.10.33 oracle/wss10_saml20_token_with_message_protection_service_policy

Display Name: Wss10 SAML V2.0 Token With Message Protection Service Policy

Category: Security

Description

Enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.34 oracle/wss10_username_id_propagation_with_msg_protection_client_policy

Display Name: Wss10 Username Id Propagation With Message Protection Client Policy

Category: Security

Description

Provides message protection (integrity and confidentiality) and identity propagation for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Credentials (only username) are included in outbound SOAP request messages via a WS-Security UsernameToken header. No password is included.This policy can be enforced on any SOAP-based client.

Message protection is provided using WS-Security's Basic128 suite of asymmetric key technologies. Specifically RSA key mechanisms for confidentiality, SHA-1 hashing algorithm for integrity and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

  • Override configuration settings, as described in "Overriding Client Policy Configuration Properties at Design Time".

  • Set up the Web service client keystore, as described in in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and Web service's respective keystores already contain digital certificates containing each other's public key.

  • Include a WS-Security UsernameToken element (<wsse:UsernameToken/>) in the SOAP request message. The client provides a username and password for authentication.

Example 18-2 shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.

18.10.35 oracle/wss10_username_id_propagation_with_msg_protection_service_policy

Display Name: Wss10 Username Id Propagation With Message Protection Service Policy

Category: Security

Description

Enforces message level protection (i.e., integrity and confidentiality) and identity propagation for inbound SOAP requests using mechanisms described in WS-Security 1.0. This policy can be enforced on any SOAP-based endpoint.

Message protection is provided using WS-Security 1.0's Basic128 suite of asymmetric key technologies. Specifically RSA key mechanisms for confidentiality, SHA-1 hashing algorithm for integrity and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.36 oracle/wss10_username_token_with_message_protection_client_policy

Display Name: Wss10 Username Token With Message Protection Client Policy

Category: Security

Description

Provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-2 shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.

18.10.37 oracle/wss10_username_token_with_message_protection_service_policy

Display Name: Wss10 Username Token With Message Protection Service Policy

Category: Security

Description

Enforces message protection (message integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.38 oracle/wss10_username_token_with_message_protection_ski_basic256_client_policy

Display Name: Wss10 Username Token With Message Protection SKI Basic 256 Client Policy

Category: Security

Description

Provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

This policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Note:

Due to the import restrictions of some countries, the jurisdiction policy files distributed with the JDK 7 software have built-in restrictions on available cryptographic strength.

By default, policies that use the basic192 algorithms and above do not work with the bundled JRE/JDK. To use these algorithms, you need to download the JCE Extension jars (Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7) file from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html.

To use these policy files, you need to replace the following JAR files in $JAVA_HOME/jre/lib/security with the corresponding JARs from the JCE Extension:

  • US_export_policy.jar

  • local_policy.jar

You should back up your existing JAR files before replacing them.

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-2 shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.

18.10.39 oracle/wss10_username_token_with_message_protection_ski_basic256_service_policy

Display Name: Wss10 Username Token With Message Protection SKI Basic 256 Service Policy

Category: Security

Description

Enforces message protection (message integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

This policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Note:

Due to the import restrictions of some countries, the jurisdiction policy files distributed with the JDK 7 software have built-in restrictions on available cryptographic strength.

By default, policies that use the basic192 algorithms and above do not work with the bundled JRE/JDK. To use these algorithms, you need to download the JCE Extension jars (Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7) file from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html.

To use these policy files, you need to replace the following JAR files in $JAVA_HOME/jre/lib/security with the corresponding JARs from the JCE Extension:

  • US_export_policy.jar

  • local_policy.jar

You should back up your existing JAR files before replacing them.

Configuration

To configure the policy:

18.10.40 oracle/wss10_x509_token_with_message_protection_client_policy

Display Name: Wss10 X509 Token With Message Protection Client Policy

Category: Security

Description

Provides message protection (integrity and confidentiality) and certificate credential population for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

  • Override configuration settings, as described in "Overriding Client Policy Configuration Properties at Design Time".

  • Set up the Web service client keystore, as described in in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and Web service's respective keystores already contain digital certificates containing each other's public key.

  • Provide valid X.509 authentication credentials in the SOAP message through the WS-Security binary security token.

  • Configure the policy assertion for message signing, message encryption, or both.

Example 18-2 shows the typical structure of a signature included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element of the SOAP message is signed.

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.0 standards. In this example, the body element is encrypted.

18.10.41 oracle/wss10_x509_token_with_message_protection_service_policy

Display Name: Wss10 X509 Token With Message Protection Service Policy

Category: Security

Description

Enforces message protection (integrity and confidentiality) and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.42 oracle/wss11_kerberos_token_with_message_protection_client_policy

Display Name: Wss11 Kerberos Token With Message Protection Client Policy

Category: Security

Description

Includes a Kerberos token in the WS-Security header, and uses Kerberos keys to guarantee message integrity and confidentiality, in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

This policy can be enforced on any SOAP-based client.

This policy is compatible with MIT Kerberos KDC and with newer versions of Active Directory KDC. It is not compatible with versions of Active Directory earlier than 2008 because it uses Triple DES encryption. With these earlier versions, use "oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-4 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.

18.10.43 oracle/wss11_kerberos_token_with_message_protection_service_policy

Display Name: Wss11 Kerberos Token With Message Protection Service Policy

Category: Security

Description

Enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user, and it enforces message integrity and confidentiality using Kerberos keys. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.

This policy can be enforced on any SOAP-based endpoint.

This policy is compatible with MIT Kerberos KDC and with newer versions of Active Directory KDC. It is not compatible with versions of Active Directory earlier than 2008 because it uses Triple DES encryption. With these earlier versions, use "oracle/wss11_kerberos_token_with_message_protection_basic128_service_policy".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.44 oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy

Display Name: Wss11 Kerberos Token With Message Protection Basic 128 Client Policy

Category: Security

Description

Includes a Kerberos token in the WS-Security header, and uses Kerberos keys to guarantee message integrity and confidentiality, in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with Active Directory KDCs. This policy can be enforced on any SOAP-based client.

This policy uses the WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.

18.10.45 oracle/wss11_kerberos_token_with_message_protection_basic128_service_policy

Display Name: Wss11 Kerberos Token With Message Protection Basic 128 Service Policy

Category: Security

Description

Enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with Active Directory KDCs. This policy can be attached to any SOAP-based endpoint.

This policy uses the WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy extracts the Kerberos token from the SOAP header and authenticates the user, and it enforces message integrity and confidentiality using Kerberos keys. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.46 oracle/wss11_saml_or_username_token_with_message_protection_service_policy

Display Name: Wss11 Saml Token or Wss11 Username Token With Message Protection or Wss SAML Token(Confirmation Method As Bearer) Over SSL or Wss Username Token Over SSL or Http Basic Auth Over SSL Service Policy

Category: Security

Description

Enforces message protection (integrity and confidentiality) and one of the following authentication policies, based on whether the client uses a SAML, username, or HTTP token, respectively:

  • SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

  • Username token authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

  • SAML-based authentication using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header. Verifies that the transport protocol provides SSL message protection.

  • Username token authentication using the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the configured identity store. Verifies that the transport protocol provides SSL message protection.

  • HTTP authentication using credentials extracted from the HTTP header to authenticate users against the configured identity store. Verifies that the transport protocol is HTTPS.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

Assertion Templates (OR Group)

This policy contains the following assertions, as an OR group—meaning any one of the tokens can be sent by the client:

18.10.47 oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy

Display Name: Wss11 Saml Token Identity Switch With Message Protection Client Policy

Category: Security

Description

Enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.

18.10.48 oracle/wss11_saml_token_with_message_protection_client_policy

Display Name: Wss11 Saml Token With Message Protection Client Policy

Category: Security

Description

Enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.

18.10.49 oracle/wss11_saml_token_with_message_protection_service_policy

Display Name: Wss11 Saml Token With Message Protection Service Policy

Category: Security

Description

This policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.50 oracle/wss11_saml_token_with_message_protection_wssc_client_policy

Display Name: Wss11 Saml Token With Message Protection with secure conversation enabled Client Policy

Category: Security

Description

Enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy has secure conversation enabled.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.

18.10.51 oracle/wss11_saml_token_with_message_protection_wssc_service_policy

Display Name: Wss11 Saml Token With Message Protection with secure conversation enabled Service Policy

Category: Security

Description

This policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy has secure conversation enabled. See Chapter 11, "Configuring Secure Conversation".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.52 oracle/wss11_saml_token_with_message_protection_wssc_reauthn_client_policy

Display Name: Wss11 Saml Token With Message Protection with secure conversation and re-authenticate mode enabled Client Policy

Category: Security

Description

Enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy has secure conversation enabled.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.

18.10.53 oracle/wss11_saml_token_with_message_protection_wssc_reauthn_service_policy

Display Name: Wss11 Saml Token With Message Protection with secure conversation and re-authenticate mode enabled Service Policy

Category: Security

Description

Enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy has secure conversation enabled. See Chapter 11, "Configuring Secure Conversation".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.54 oracle/wss11_saml20_token_with_message_protection_client_policy

Display Name: Wss11 Saml V2.0 Token With Message Protection Client Policy

Category: Security

Description

Enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.

18.10.55 oracle/wss11_saml20_token_with_message_protection_service_policy

Display Name: Wss11 Saml V2.0 Token With Message Protection Service Policy

Category: Security

Description

Enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.56 oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy

Display Name: Wss11 Issued Token with Saml Holder of Key with Message Protection Client Policy

Category: Security

Description

Inserts a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using proof key material provided by the STS.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.10.57 oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy

Display Name: Wss11 Issued Token with Saml Holder of Key with Message Protection Service Policy

Category: Security

Description

Authenticates a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using WS-Security's Basic 128 suite of symmetric key technologies.

You also have the option to override the keystore.enc.csf.key server-side configuration property, as described in "Overview of Policy Configuration Overrides".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.58 oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy

Display Name: Wss11 Issued Token with Saml Holder of Key with Message Protection Client Policy

Category: Security

Description

This policy inserts a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using proof key material provided by the STS.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.10.59 oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy

Display Name: Wss11 Issued Token with Saml Holder of Key with Message Protection Service Policy

Category: Security

Description

This policy authenticates a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using WS-Security's Basic 128 suite of symmetric key technologies.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.60 oracle/wss11_sts_issued_saml_with_message_protection_client_policy

Display Name: Wss11 Issued Token with Saml Sender Vouches with Message Protection Client Policy

Category: Security

Description

This policy inserts a SAML sender vouches assertion issued by a trusted STS (Security Token Service). Messages are protected using the client's private key.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

18.10.61 oracle/wss11_username_token_with_message_protection_client_policy

Display Name: Wss11 Username Token With Message Protection Client Policy

Category: Security

Description

Provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.

The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature.

To prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

  • Override configuration settings, as described in "Overriding Client Policy Configuration Properties at Design Time".

  • This policy uses symmetric key technology, which is an encryption method that uses the same shared key to encrypt and decrypt data. The symmetric key is used to sign the message.

  • Configure the policy assertion for message signing, message encryption, or both.

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.

18.10.62 oracle/wss11_username_token_with_message_protection_service_policy

Display Name: Wss11 Username Token With Message Protection Service Policy

Category: Security

Description

Enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. Both plain text and digest mechanisms are supported.

The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature. This policy can be attached to any SOAP-based endpoint.

To prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.63 oracle/wss11_username_token_with_message_protection_wssc_client_policy

Display Name: Wss11 Username Token With Message Protection with secure conversation enabled Client Policy

Category: Security

Description

Provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.

The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature.

To prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy has secure conversation enabled.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

Example 18-3 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.

18.10.64 oracle/wss11_username_token_with_message_protection_wssc_service_policy

Display Name: Wss11 Username Token With Message Protection with secure conversation enabled Service Policy

Category: Security

Description

Enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. Both plain text and digest mechanisms are supported.

The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature. This policy can be attached to any SOAP-based endpoint.

To prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy has secure conversation enabled. See Chapter 11, "Configuring Secure Conversation".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.65 oracle/wss11_x509_token_with_message_protection_client_policy

Display Name: Wss11 X509 Token With Message Protection Client Policy

Category: Security

Description

Provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

  • Override configuration settings, as described in "Overriding Client Policy Configuration Properties at Design Time".

  • Set up the Web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and Web service's respective keystores already contain digital certificates containing each other's public key.

  • The Web service client needs to provide valid X.509 authentication credentials in the SOAP message through the WS-Security binary security token.

  • Configure the policy assertion for message signing, message encryption, or both.

Example 18-4 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.

18.10.66 oracle/wss11_x509_token_with_message_protection_service_policy

Display Name: Wss11 X509 Token With Message Protection Service Policy

Category: Security

Description

Enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.10.67 oracle/wss11_x509_token_with_message_protection_wssc_client_policy

Display Name: Wss11 X509 Token With Message Protection with secure conversation enabled Client Policy

Category: Security

Description

Provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy has secure conversation enabled.

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

Design Time Considerations

At design time:

  • Override configuration settings, as described in "Overriding Client Policy Configuration Properties at Design Time".

  • Configure Secure Conversation, as described in Chapter 11, "Configuring Secure Conversation".

  • The Web service client needs to provide valid X.509 authentication credentials in the SOAP message through the WS-Security binary security token.

  • Set up the Web service client keystore, as described in "Understanding Keys and Certificates" in Understanding Oracle Web Services Manager. The policy specifically requires that the client's and Web service's respective keystores already contain digital certificates containing each other's public key.

  • The Web service client needs to provide valid X.509 authentication credentials in the SOAP message through the WS-Security binary security token.

  • Configure the policy assertion for message signing, message encryption, or both.

Example 18-4 is an example of the typical structure of encryption elements included in the Security header in conformance with the WS-Security 1.1 standards. In this example, the body element is encrypted.

18.10.68 oracle/wss11_x509_token_with_message_protection_wssc_service_policy

Display Name: Wss11 X509 Token With Message Protection with secure conversation enabled Service Policy

Category: Security

Description

Enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy has secure conversation enabled. See Chapter 11, "Configuring Secure Conversation".

Assertion Template

This policy contains the following assertion template, which defines the settings and configuration properties for the policy:

Configuration

To configure the policy:

18.11 Security Policies—OES

Table 18-58 summarize the predefined OWSM Oracle Entitlement Server (OES) security policies.

Table 18-58 Predefined OWSM Authentication Only Policies

Configuration Policy Description

oracle/binding_oes_authorization_policy

Reserved for future use.

oracle/binding_oes_masking_policy

Reserved for future use.

oracle/component_oes_authorization_policy

Reserved for future use.


18.11.1 oracle/binding_oes_authorization_policy

Display Name: Fine-grained authorization using Oracle Entitlements Server

Category: Security

Description

Reserved for future use.

18.11.2 oracle/binding_oes_masking_policy

Display Name: Response masking using Oracle Entitlements Server

Category: Security

Description

Reserved for future use.

18.11.3 oracle/component_oes_authorization_policy

Display Name: SCA Component fine-grained authorization using Oracle Entitlements Server

Category: Security

Description

Reserved for future use.

18.12 SOAP Over JMS Transport Policies

Table 18-59 summarize the predefined OWSM SOAP Over JMS Transport policies.

Table 18-59 Predefined OWSM SOAP Over JMS Transport Policies

Configuration Policy Description

oracle/jms_transport_client_policy

Enables and configures support for SOAP over JMS transport for Web service clients.

oracle/jms_transport_service_policy

Enables and configures support for SOAP over JMS transport for Web services.

oracle/no_jms_transport_client_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP over JMS transport client policy at a higher scope.

oracle/no_jms_transport_service_policy

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP over JMS transport service policy at a higher scope.


For more information about attaching SOAP over JMS transport policies, see:

18.12.1 oracle/jms_transport_client_policy

Display Name: JMS Transport Client Policy

Category: SOAP Over JMS Transport

Description

Enables and configures support for SOAP over JMS transport for Web service clients.

Note:

This policy cannot be duplicated, and the assertion template associated with this template is not available for generating new policies.

This policy is not supported for Java EE (WebLogic) Web services.

Configuration

Table 18-60 lists the configuration properties that you can override for SOAP over JMS transport clients.

Table 18-60 Configuration Properties for oracle/jms_transport_client_policy

Name Description Default Required?

destination.name

JNDI name of the destination queue or topic.

com.oracle.webservices.api.jms.RequestQueue

Required

destination.type

Destination type. Valid values include: com.oracle.webservices.api.jms.JMSDestinationType.QUEUE or com.oracle.webservices.api.jms.JMSDestinationType.TOPIC. This value defaults to QUEUE.

QUEUE

Required

jms.header.property

JMS header properties. Each property is specified using name-value pairs, separated by semicolons (;). For example: name1=value1&...&nameN=valueN.

None

Optional

jms.message.property

JMS message properties. Each property is specified using name-value pairs, separated by semicolons (;). For example: name1=value1&...&nameN=valueN.

None

Optional

jndi.connection.factory.name

JNDI name of the connection factory that is used to establish a JMS connection.

com.oracle.webservices.jms.ConnectionFactory

Required

jndi.context.parameters

JNDI properties. Each property is specified using name-value pairs, separated by semicolons (;). For example: name1=value1&...&nameN=valueN.

The properties are added to the java.util.Hashtable sent to the InitialContext constructor for the JNDI provider.

None

Optional

jndi.initial.context.factory

Name of the initial context factory class used for JNDI lookup. This value maps to the java.naming.factory.initial property.

weblogic.jndi.WLInitialContextFactory

Required

jndiurl

JNDI provider URL. This value maps to the java.naming.provider.url property.

t3://localhost:7001

Required

message.type

Message type to use with the request message. Valid values are com.oracle.webservices.api.jms.JMSMessageType.BYTES and com.oracle.webservices.api.jms.JMSMessageType.TEXT. This value defaults to BYTES.

For more information, see "Configuring the JMS Message Type" in Developing JAX-WS Web Services for Oracle WebLogic Server.

BYTES

Required

priority

JMS priority associated with the request and response message. Specify this value as a positive Integer from 0, the lowest priority, to 9, the highest priority. The default value is 0.

0

Required

reply.to.name

JNDI name of the JMS destination to which the response message is sent.

For a two-way operation, a temporary response queue is generated by default. Using the default temporary response queue minimizes the configuration that is required. However, in the event of a server failure, the response message may be lost.

This property enables the client to use a previously defined, "permanent" queue or topic rather than use the default temporary queue or topic, for receiving replies. For more information about configuring the JMS response queue, see "Configuring the Response Queue" in Developing JAX-WS Web Services for Oracle WebLogic Server.

The value maps to the JMSReplyTo JMS header in the request message.

None

Optional

target.service

Port component name of the Web service. This value is used by the service implementation to dispatch the service request. If not specified, the service name from the WSDL or @javax.jws.WebService annotation is used.

This value maps to the SOAPJMS_targetService JMS message property.

None

Optional

time.to.live

Lifetime, in milliseconds, of the request message. A value of 0 indicates an infinite lifetime.

On the service side, timeToLive also specifies the expiration time for each MDB transaction.

180000

Required

reference.priority

See "reference.priority".

None

Optional


18.12.2 oracle/jms_transport_service_policy

Display Name: JMS Transport Service Policy

Category: SOAP Over JMS Transport

Description

Note:

This policy cannot be duplicated, and the assertion template associated with this template is not available for generating new policies.

This policy is not supported for Java EE (WebLogic) Web services.

Configuration

Table 18-61 lists the configuration properties that you can override for SOAP over JMS transport for Web services.

Table 18-61 Configuration Properties for oracle/jms_transport_service_policy

Name Description Default Required?

binding.version

Version of the SOAP JMS binding. This value must be set to SOAP_JMS_1.0 for this release, which equates to com.oracle.webservices.api.jms.JMSBindingVersion.SOAP_JMS_1_0.

This value maps to the SOAPJMS_bindingVersion JMS message property

SOAP_JMS_1.0

Required

delivery.mode

Delivery mode indicating whether the request message is persistent. Valid values are com.oracle.webservices.api.jms.DeliveryMode.PERSISTENT and com.oracle.webservices.api.jms.DeliveryMode.NON_PERSISTENT.

PERSISTENT

Required

enable.http.wsdl.access

Boolean flag that specifies whether to publish the WSDL through HTTP.

true

Optional

run.as.principal

Principal used to run the listening MDB.

None

Optional

run.as.role

Role used to run the listening MDB.

None

Optional

mdb.per.destination

Boolean flag that specifies whether to create one listening message-driven bean (MDB) for each requested destination.

If set to false, one listening MDB is created for each Web service port, and that MDB cannot be shared by other ports.

true

Optional

activation.config

Activation configuration properties passed to the JMS provider. Each property is specified using name-value pairs, separated by semicolons (;). For example: name1=value1&...&nameN=valueN.

For a list of activation configuration properties that are supported by this property, see "Summary of JMS Transport Configuration Properties" in Developing JAX-WS Web Services for Oracle WebLogic Server.

None

Optional

destination.name

JNDI name of the destination queue or topic.

com.oracle.webservices.api.jms.RequestQueue

Required

destination.type

Destination type. Valid values include: com.oracle.webservices.api.jms.JMSDestinationType.QUEUE or com.oracle.webservices.api.jms.JMSDestinationType.TOPIC. This value defaults to QUEUE.

QUEUE

Required

jms.header.property

JMS header properties. Each property is specified using name-value pairs, separated by semicolons (;). For example: name1=value1&...&nameN=valueN.

None

Optional

jms.message.property

JMS message properties. Each property is specified using name-value pairs, separated by semicolons (;). For example: name1=value1&...&nameN=valueN.

None

Optional

jndi.connection.factory.name

JNDI name of the connection factory that is used to establish a JMS connection.

com.oracle.webservices.jms.ConnectionFactory

Required

jndi.context.parameters

JNDI properties. Each property is specified using name-value pairs, separated by semicolons (;). For example: name1=value1&...&nameN=valueN.

The properties are added to the java.util.Hashtable sent to the InitialContext constructor for the JNDI provider.

None

Optional

jndi.initial.context.factory

Name of the initial context factory class used for JNDI lookup. This value maps to the java.naming.factory.initial property.

weblogic.jndi.WLInitialContextFactory

Required

jndiurl

JNDI provider URL. This value maps to the java.naming.provider.url property.

t3://localhost:7001

Required


18.12.3 oracle/no_jms_transport_client_policy

Display Name: No Jms Transport Client Policy

Category: SOAP Over JMS Transport

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP over JMS transport client policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-62 lists the configuration property that you can override for the no behavior policy.

Table 18-62 Configuration Property for oracle/no_jms_transport_client_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional


18.12.4 oracle/no_jms_transport_service_policy

Display Name: No Jms Transport Client Policy

Category: SOAP Over JMS Transport

Description

When directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached SOAP over JMS transport service policy at a higher scope. For details about using this no behavior policy, see "Disabling a Globally Attached Policy".

Note:

Please note the following:

  • This no behavior policy cannot be duplicated.

  • The assertion template associated with this no behavior policy is not available for generating new policies.

  • This no_behavior policy is not supported for Java EE (WebLogic) Web services.

Assertion Template

All no behavior policies use the same no behavior assertion. An assertion template is not provided for the no behavior assertion. For that reason, it is important that you do not delete the no behavior policies. To recreate them you will need to restore the OWSM repository with the original policies. For information about restoring the repository, see "Rebuilding the OWSM Repository".

Configuration

Table 18-63 lists the configuration property that you can override for the no behavior policy.

Table 18-63 Configuration Property for oracle/no_jms_transport_service_policy

Name Description Default Required?

reference.priority

See "reference.priority".

None

Optional