Oracle® Application Server Advanced Web Services Developer's Guide 10g (10.1.3.1.0) Part Number B28975-02 |
|
|
View PDF |
Web services security is described in the Oracle Application Server Web Services Security Guide The Security Guide contains the following chapters:
Chapter 1, "Introduction"
This chapter introduces essential Web service security concepts, standards, and specifications. It is divided into the following sections:
Web Service Security Concepts
Web Services Security Support in OC4J
Tool Support for Web Services Security
Chapter 2, "Configuring Web Services Security"
This chapter describes the Web service security configuration elements that can be used to secure a Web service on the client and the server. It is divided into the following sections:
Keystore Elements
Signature and Encryption Key Elements
Nonce Configuration Elements
Security Elements for Inbound Messages
Security Elements for Outbound Messages
Chapter 3, "Administering Web Services Security"
This chapter describes administration tasks for Web services security. It is divided into the following sections:
Using Keystores
Integrating Security Tokens with Security Providers
Using a Username Token
Using an X.509 Token
Using a SAML Token
Configuring XML Encryption
Configuring XML Signature
Combining Tokens, Encryption. and Signature
Chapter 4, "Building Secure Web Services"
This chapter provides the generalized steps for assembling a secure Web service. Oracle Application Server Web Services provides the WebServicesAssembler tool which enables you to assemble the service top down (from a WSDL) or bottom up (from Java classes, EJBs, or database resources).
Assembling a Secure Web Service
Creating a Server-Side Security Configuration File
Creating a Client-Side Security Configuration File
Client JAR Files
Adding Transport-Level Security to a Web Service
Ant Tasks and WebServicesAssembler
Getting an Authenticated User Identity in a Web Service Application
Performing JAAS Provider Authorization on a Web Service
WS-Security and XML APIs
Development Decisions
Chapter 5, "Secure Web Service Usage Scenarios"
This chapter discusses common scenarios for using Web service security. It begins with the simplest use case, then proceeds through increasingly more complex use cases. The first section of the chapter discusses use cases with no security implications; these are then modified to add security features. It contains the following sections:
Non-Secured Web Services
HTTP-Based Security
WS-Security
XML Signature
XML Encryption
Gateways
Identity Management
Interoperability
Chapter 6, "Troubleshooting"
This chapter describes solutions to some of the errors you might encounter when working with OracleAS Web Services Security. The errors are divided into these categories.
General Errors
Keystore-Related Errors
Message Integrity Errors
Message Confidentiality Errors
Authentication Errors
Appendix A, "OracleAS Web Services Security Schema"
This appendix describes the contents of the OracleAS Web Services Security schema file, oracle-webservices-security-10_0.xsd
.
Appendix B, "Security Threats and Solutions"
This appendix describes how the functionality in OracleAS Web Services can be used to address the threats to security that are present in today's Web environment.
For more information on:
securing a Web service, see the Oracle Application Server Web Services Security Guide
adding Web service management information, including security, to a Web service, see Chapter 3, "Managing Web Services".
adding reliability information to a Web service, see Chapter 5, "Ensuring Web Service Reliability".
adding auditing and logging information to a Web service, see Chapter 6, "Auditing and Tracing Messages".
assembling a Web service top down, see "Assembling a Web Service from a WSDL" in the Oracle Application Server Web Services Developer's Guide.
using Java classes to assemble a Web service, see "Assembling a Web Service with Java Classes" in the Oracle Application Server Web Services Developer's Guide.
using EJBs to assemble a Web service, see "Assembling a Web Service with EJBs" in the Oracle Application Server Web Services Developer's Guide.
using JMS topics and destinations to assemble a Web service, see "Assembling Web Services with JMS Destinations" in the Oracle Application Server Web Services Developer's Guide.
using database resources, such as PL/SQL packages, SQL queries, DML statements, Oracle Streams AQ, or server-side Java classes, to assemble a Web service, see "Assembling Database Web Services" in the Oracle Application Server Web Services Developer's Guide.
assembling a J2EE Web Service client, see "Assembling a J2EE Web Service Client" in the Oracle Application Server Web Services Developer's Guide.
assembling a J2SE Web service client, see "Assembling a J2SE Web Service Client" in the Oracle Application Server Web Services Developer's Guide.
using WebServicesAssembler commands to assemble Web service artifacts, see "Using WebServicesAssembler" in the Oracle Application Server Web Services Developer's Guide.
the contents of the oracle-webservices.xml
deployment descriptor which contains the Web services management configuration, see "Packaging and Deploying Web Services", in the Oracle Application Server Web Services Developer's Guide.
the contents of the wsmgmt.xml
file which contains the security configuration, see Appendix A, "Understanding the Web Services Management Schema".