BEA SALT WS-SecurityPolicy Assertion 1.2 Reference

BEA SALT implements part of WS-Security protocol version 1.1 for inbound services. Authentication with UsernameToken and X509v3Token are supported. To describe how the authentication is carried out, WS-SecurityPolicy is used in WSDL definition.

In order to communicate with BEA WebLogic Release 10 via WS-Security 1.1, SALT implements the counterparts of WS-SecurityPolicy (WSSP) 1.2 supported by WebLogic 10. But the supported WSSP 1.2 assertions are limited as follows:

Protection Assertions

Integrity Assertion

<sp:SignedParts> Assertion (Limited support)

Token Assertions:

<sp:UsernameToken> Assertion (Limited support)
<sp:X509Token> Assertion (Limited support)

Security Binding Assertions:

AsysmmetricBinding Assertion (Limited support)
<sp:TransportBinding > Assertion (Limited support)

Supporting Tokens Assertions:

SupportingTokens Assertion (Limited support)

For more information about WSSP 1.2 assertions supported by WebLogic 10, please refer to “Using WS-SecurityPolicy 1.2 Policy Files in the BEA WebLogic Web Services Documentation.

In this document, XML namespace prefix “sp” stands for namespace URI “http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512”.

SALT WSSP 1.2 Policy File Example

Listing D-1 demonstrates how to apply Username token authentication with WSSP 1.2 assertions.

<!-Binding Policy -->
<wsp:Policy
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512"> 
  <sp:TransportBinding>
    <wsp:Policy>
      <sp:TransportToken>
        <wsp:Policy>
          <sp:HttpToken/>
        </wsp:Policy>
      </sp:TransportToken>
      <sp:AlgorithmSuite>
        <wsp:Policy>
          <sp:Basic256/>
        </wsp:Policy>
      </sp:AlgorithmSuite>
      <sp:Layout>
        <wsp:Policy>
          <sp:Lax/>
        </wsp:Policy>
      </sp:Layout>
      <sp:IncludeTimestamp/>
    </wsp:Policy>
  </sp:TransportBinding>
  <sp:SupportingTokens>
    <wsp:Policy>
      <sp:UsernameToken
          sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
        <wsp:Policy>
          <sp:WssUsernameToken10/>
        </wsp:Policy>
      </sp:UsernameToken>
    </wsp:Policy>
  </sp:SupportingTokens>
</wsp:Policy>

SALT WSSP 1.2 Policy Templates

BEA SALT provides a number of WS-SecurityPolicy 1.2 template files you can use for most typical Web Service applications. These policy files are located in directory TUXDIR/udataobj/salt/policy.

Table D-1 SALT WSSP 1.2 Policy Template Files
Policy File	Description
wssp1.2-UsernameToken-plain-auth.xml	Username token with plain text password is sent in the request for authentication.
wssp1.2-x509v3-auth.xml	X509 V3 binary token (certificate) is sent in the request for authentication. The request is optionally signed with some message parts in the requests.
wssp1.2-signbody.xml	The entire SOAP body is signed.

These template files can be referenced directly in the WSDF files with location value format:

For example, if you want to configure signbody, you can specify the followings in your WSDF file:

SALT WSSP1.2 Assertion Description

Below are all BEA SALT supported WSSP 1.2 assertions and limitations for each one. Customers should obey the limitation when writing their own customized WSSP 1.2 policy files. BEA SALT does not check any customized WSSP 1.2 policy file against the limitation rules. If something claimed in the customized WSSP 1.2 policy file cannot be supported by BEA SALT, web service client program may result runtime errors.

WS-SecurityPolicy 1.2 assertions not listed below are definitely not supported by BEA SALT.

<sp:SignedParts>

Specifies the parts of a SOAP message to be digitally signed. BEA SALT only supports the entire SOAP body to be signed.

Limitations

<sp:UsernameToken>

Specifies username token to be included in the SOAP message. BEA SALT only supports username token with clear text password defined in WS-Security Username Token Profile 1.0. <UsernameToken> assertion must be used as a nested assertion of Security Binding Assertions and Supporting Token Assertions.

Limitations

<sp:X509Token>

Specifies a binary security token carrying an X509 token to be included in the SOAP message. <X509Token> assertion must be used as a nested assertion of Security Binding Assertions and Supporting Token Assertions.

Limitations

Supported Nesting Assertions

<sp:WssX509V3Token10>
<sp:WssX509V3Token11>

Non-Supported Nesting Assertions

<sp:WssX509Pkcs7Token10>
<sp:WssX509Pkcs7Token11>
<sp:WssX509PkiPathV1Token10>
<sp:WssX509PkiPathV1Token11>
<sp:WssX509V1Token10>
<sp:WssX509V1Token11>

<sp:AlgorithmSuite>

Specifies the algorithm suite to be used for performing cryptographic operations with security tokens. <AlgorithmSuite> Assertion must be used as a nested assertion of Security Binding Assertions.

Limitations

<sp:Layout>

Specifies the layout rules when adding items to the security header. <Layout> Assertion must be used as a nested assertion of Security Binding Assertions.

Limitations

<sp:TransportBinding >

Specifies the message protection and security correlation is provided using the means of the transport. The <TransportBinding> token is used mainly for carrying isolated Username Token in the SOAP message.

Limitations

  <sp:TransportBinding>
    <wsp:Policy>
      <sp:TransportToken>
        <wsp:Policy>
          <sp:HttpToken />
        </wsp:Policy>
      </sp:TransportToken>
      <sp:Algorithm>
        <wsp:Policy>
          <sp:Basic256>
        </wsp:Policy>
      </sp:Algorithm>
    </wsp:Policy>
  </sp:TransportBinding>

<sp:AsymmetricBinding>

Specifies the message protection is provided by means defined in WS-Security SOAP Message Security, and the request and response message can use distinct keys for encryption and signature, because of their different lifecycles. The <AsymmetricBinding> Assertion is used mainly for carrying X.509 binary security token in the SOAP request messages for inbound calls.

Limitations

Supported Nesting Assertions

<sp:InitiatorToken>
<sp:RecipientToken>
<sp:AlgorithmSuite>
<sp:Layout>
<sp:IncludeTimestamp>
<sp:ProtectTokens>
<sp:OnlySignEntireHeadersAndBody>

Non-supported Nesting Assertions

<sp:InitiatorSignatureToken>
<sp:InitiatorEncryptToken>
<sp:RecipientSignatureToken>
<sp:RecipientEncryptToken>
<sp:EncryptBeforeSigning>
<sp:EncryptSignature>

<sp:InitiatorToken> must be associated with <sp:X509Token> and the Token inclusion type must be “AlwaysToRecipient“
<sp:RecipientToken> must be associated with <sp:X509Token> and the Token inclusion type must be “Never”

Listing D-3 shows a BEA SALT supported AsymmetricBinding assertion example. This assertion indicates the X.509 V3 binary token that defined in WS-Security X.509 Token Profile 1.1 specification is used for digital signature for the SOAP request messages and the X.509 token is always included in the SOAP message security header:

  <sp:AsymmetricBinding>
    <wsp:Policy>
      <sp:InitiatorToken>
        <wsp:Policy>
          <sp:X509Token               sp:IncludeToken=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient”>
            <wsp:Policy>
              <sp:WssX509V3Token11 />
            </wsp:Policy>
          </sp:X509Token>
        </wsp:Policy>
      </sp:InitiatorToken>
      <sp:RecipientToken>
        <wsp:Policy>
          <sp:X509Token               sp:IncludeToken=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/Never”>
            <wsp:Policy>
              <sp:WssX509V3Token11 />
            </wsp:Policy>
          </sp:X509Token>
        </wsp:Policy>
      </sp:RecipientToken>
      <sp:Algorithm>
        <wsp:Policy>
          <sp:Basic256>
        </wsp:Policy>
      </sp:Algorithm>
      <sp:Layout>
        <wsp:Policy>
          <sp:Lax>
        </wsp:Policy>
      </sp:Layout>
      <sp:IncludeTimestamp />
    </wsp:Policy>
  </sp:AsymmetricBinding>

<sp:SupportingToken>

Specifies security tokens that are included in the security header and may optionally include additional message parts to sign and/or encrypt. For BEA SALT, <SupportingToken> Assertion is used mainly to include Username Token in the security header when <sp:AsymmetricBinding> Assertion is used.

Limitations

Supported Nesting Assertions

Not-non Supported Nesting Assertions

<sp:SignedParts>
<sp:SignedElements
<sp:EncryptedParts>
<sp:EncryptedElements>

All supported token assertions must be defined with Token inclusion type “AlwaysToRecipient”.

Listing D-4 shows a BEA SALT supported SupportingToken assertion example. This assertion indicates the Username token is always included in SOAP request messages:

  <sp:SupportingTokens>
    <wsp:Policy>
      <sp:UsernameToken           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
        <wsp:Policy>
          <sp:WssUsernameToken10/>
        </wsp:Policy>
      </sp:UsernameToken>
    </wsp:Policy>
  </sp:SupportingTokens>

Reference Guide

BEA SALT WS-SecurityPolicy Assertion 1.2 Reference

Overview

SALT WSSP 1.2 Policy File Example

SALT WSSP 1.2 Policy Templates

SALT WSSP1.2 Assertion Description

<sp:SignedParts>

Limitations

<sp:UsernameToken>

Limitations

<sp:X509Token>

Limitations

<sp:AlgorithmSuite>

Limitations

<sp:Layout>

Limitations

<sp:TransportBinding >

Limitations

<sp:AsymmetricBinding>

Limitations

<sp:SupportingToken>

Limitations