![]() ![]() ![]() ![]() ![]() ![]() |
Previous releases of WebLogic Server, released before the formulation of the OASIS WS-SecurityPolicy specification, used security policy files written under the WS-Policy specification, using a proprietary BEA schema for Web Services security policy. This release of WebLogic Server supports both security policy files that conform to the WS-SecurityPolicy 1.2 specification and the BEA Web Services security policy files first included in WebLogic Server 9. The following sections provide reference information about the security assertions you can configure in a Web Services security policy file using the proprietary BEA schema:
WARNING: | This section applies only to JAX-RPC 1.1-based Web Services using policies written under the BEA Web Services security policy schema, and not to JAX-WS 2.0 Web Services or to policies written under the OASIS WS-SecurityPolicy 1.2 specification. |
You can use policy files to configure the message-level security of a WebLogic Web Service. Use the @Policy
and @Policies
JWS annotations in the JWS file that implements the Web Service to specify the name of the security policy file that is associated with a WebLogic Web Service.
A security policy file is an XML file that conforms to the
WS-Policy specification. The root element of a WS-Policy file is always <wsp:Policy>
. To configure message-level security, you add policy assertions that specify the type of tokens supported for authentication and how the SOAP messages should be encrypted and digitally signed.
Note: | These security policy assertions are based on the assertions described in the December 18, 2002 version of the Web Services Security Policy Language (WS-SecurityPolicy) specification. This means that although the exact syntax and usage of the assertions in WebLogic Server are different, they are similar in meaning to those described in the specification. The assertions are not based on the latest update of the specification (13 July 2005.) |
WebLogic Server includes five security policy files that use the BEA Web Services security policy schema (Auth.xml
, Sign.xml
, Encrypt.xml
, Wssc-dk.xml
, and Wssc-sct.xml
). These packaged policy files contain typical security assertions that you can use if you do not want to create your own security policy file. For details about these files, see
BEA Web Services Security Policy Files.
Policy files using the BEA Web Services security policy schema have the following namespace
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy"
>
This release of WebLogic Server also includes a large number of packaged policy files that conform to the OASIS WS-SecurityPolicy 1.2 specification. WS-SecurityPolicy 1.2 policy files and BEA proprietary Web Services security policy schema files are not mutually compatible; you cannot use both types of policy file in the same Web Services security configuration. For information about using WS-SecurityPolicy 1.2 security policy files, see Using WS-SecurityPolicy Policy Files.
See Configuring Message-Level Security (Digital Signatures and Encryption) for task-oriented information about creating a message-level secured WebLogic Web Service.
The following graphic describes the element hierarchy of the security assertions in a BEA security policy file.
<?xml version="1.0"?>
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
>
<wssp:Identity>
<wssp:SupportedTokens>
<wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
<wssp:Claims>
<wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
<wssp:Confidentiality>
<wssp:KeyWrappingAlgorithm
URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<wssp:Target>
<wssp:EncryptionAlgorithm
URI="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<wssp:MessageParts
Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
wls:SecurityHeader(Assertion)
</wssp:MessageParts>
</wssp:Target>
<wssp:Target>
<wssp:EncryptionAlgorithm
URI="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
wsp:Body()</wssp:MessageParts>
</wssp:Target>
<wssp:KeyInfo />
</wssp:Confidentiality>
</wsp:Policy>
Specifies the algorithm used to canonicalize the SOAP message elements that are digitally signed.
Note: | The WebLogic Web Services security runtime does not support specifying an InclusiveNamespaces PrefixList that contains a list of namespace prefixes or a token indicating the presence of the default namespace to the canonicalization algorithm. |
Specifies additional metadata information that is associated with a particular type of security token. Depending on the type of security token, you can or must specify the following child elements:
<
UsePassword
>
child element to specify whether you want the SOAP messages to use password digests.<
ConfirmationMethod
>
child element to specify the type of SAML confirmation (sender-vouches
or holder-of-key)
.
By default, a security token for a secure conversation has a lifetime of 12 hours. To change this default value, define a <
TokenLifeTime
>
child element to specify a new lifetime, in milliseconds, of the security token.
This element does not have any attributes.
Specifies that part or all of the SOAP message must be encrypted, as well as the algorithms and keys that are used to encrypt the SOAP message.
For example, a Web Service may require that the entire body of the SOAP message must be encrypted using triple-DES.
Specifies the type of confirmation method that is used when using SAML tokens for identity. You must specify one of the following two values for this element: sender-vouches
or holder-of-key
. For example:
<wssp:Claims>
<wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>
</wssp:Claims>
This element does not have any attributes.
The <ConfirmationMethod>
element is required only if you are using SAML tokens.
The exact location of the <ConfirmationMethod>
assertion in the security policy file depends on the type configuration method you are configuring. In particular:
Specify the <ConfirmationMethod>
assertion within an <Identity>
assertion, as shown in the following example:
<?xml version="1.0"?>
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
>
<wssp:Identity>
<wssp:SupportedTokens>
<wssp:SecurityToken
TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID
">
<wssp:Claims>
<wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
</wsp:Policy>
Specify the <ConfirmationMethod>
assertion within an <Integrity>
assertion. The reason you put the SAML token in the <Integrity>
assertion for this confirmation method is that the Web Service runtime must prove the integrity of the message, which is not required by sender-vouches
.
<?xml version="1.0"?>
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part">
<wssp:Integrity>
<wssp:SignatureAlgorithm
URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<wssp:CanonicalizationAlgorithm
URI="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<wssp:Target>
<wssp:DigestAlgorithm
URI="http://www.w3.org/2000/09/xmldsig#sha1" />
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
wsp:Body()
</wssp:MessageParts>
</wssp:Target>
<wssp:SupportedTokens>
<wssp:SecurityToken
IncludeInMessage="true"
TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID
">
<wssp:Claims>
<wssp:ConfirmationMethod>holder-of-key</wssp:ConfirmationMethod>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Integrity>
</wsp:Policy>
For more information about the two SAML confirmation methods (sender-vouches
or holder-of-key
), see
SAML Token Profile Support in WebLogic Web Services.
Specifies the digest algorithm that is used when digitally signing the specified parts of a SOAP message. Use the <MessageParts> sibling element to specify the parts of the SOAP message you want to digitally sign.
Specifies the encryption algorithm that is used when encrypting the specified parts of a SOAP message. Use the <MessageParts> sibling element to specify the parts of the SOAP message you want to digitally sign.
http://www.w3.org/2001/04/xmlenc#tripledes-cbc
When interoperating between Web Services built with
WebLogic Workshop 8.1, you must specify
http://www.w3.org/2001/04/xmlenc#aes128-cbc as the encryption algorithm.
|
Specifies the type of security tokens (username, X.509, or SAML) that are supported for authentication.
This element has no attributes.
Specifies that part or all of the SOAP message must be digitally signed, as well as the algorithms and keys that are used to sign the SOAP message.
For example, a Web Service may require that the entire body of the SOAP message must be digitally signed and only algorithms using SHA1 and an RSA key are accepted.
Used to specify the security tokens that are used for encryption.
This element has no attributes.
Specifies the algorithm used to encrypt the message encryption key.
The algorithm used to encrypt the SOAP message encryption key. |
Specifies a label for the security context token. Used when configuring WS-SecureConversation security contexts.
This element has no attributes.
Specifies the length of the key when using security context tokens and derived key tokens. This assertion only applies to WS-SecureConversation security contexts.
This element has no attributes.
Specifies the acceptable time period before SOAP messages are declared stale and discarded.
When you include this security assertion in your security policy file, the Web Services runtime adds a <Timestamp>
header to the request or response SOAP message, depending on the direction (inbound, outbound, or both) to which the security policy file is associated. The <Timestamp>
header indicates to the recipient of the SOAP message when the message expires.
For example, assume that your security policy file includes the following <MessageAge>
assertion:
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>
...
<wssp:MessageAge Age="300" />
</wsp:Policy>
The resulting generated SOAP message will have a <Timestamp>
header similar to the following excerpt:
<wsu:Timestamp
wsu:Id="Dy2PFsX3ZQacqNKEANpXbNMnMhm2BmGOA2WDc2E0JpiaaTmbYNwT"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2005-11-09T17:46:55Z</wsu:Created>
<wsu:Expires>2005-11-09T17:51:55Z</wsu:Expires>
</wsu:Timestamp>
In the example, the recipient of the SOAP message discards the message if received after 2005-11-09T17:51:55Z
, or five minutes after the message was created.
The Web Services runtime, when generating the SOAP message, sets the <Created>
header to the time when the SOAP message was created and the <Expires>
header to the creation time plus the value of the Age
attribute of the <MessageAge>
assertion.
The following table describes the attributes of the <MessageAge>
assertion.
The following table lists the properties that describe the timestamp behavior of the WebLogic Web Services security runtime, along with their default values.
You typically never need to change the values of the preceding timestamp properties. However, if you do need to, you must use the Administration Console to create the default_wss
Web Service Security Configuration, if it does not already exist, and then update its timestamp configuration by clicking on the Timestamp tab. See
Create a Web Service security configuration for task information and
Domains: Web Services Security: Timestamp for additional reference information about these timestamp properties.
Specifies the parts of the SOAP message that should be signed or encrypted, depending on the grand-parent of the element. You can use either an XPath 1.0 expression or a set of pre-defined functions within this assertion to specify the parts of the SOAP message.
The MessageParts
assertion is always a child of a Target
assertion. The Target
assertion can be a child of either an Integrity
assertion (to specify how the SOAP message is digitally signed) or a Confidentiality
assertion (to specify how the SOAP messages are encrypted.)
See Using MessageParts To Specify Parts of the SOAP Messages that Must Be Encrypted or Signed for detailed information about using this assertion, along with a variety of examples.
Identifies the dialect used to identity the parts of the SOAP message that should be signed or encrypted. If this attribute is not specified, then XPath 1.0 is assumed.
See Using MessageParts To Specify Parts of the SOAP Messages that Must Be Encrypted or Signed for examples of using these dialects.
|
Specifies the security token that is supported for authentication, encryption or digital signatures, depending on the parent element.
For example, if this element is defined in the <Identity>
parent element, then is specifies that a client application, when invoking the Web Service, must attach a security token to the SOAP request. For example, a Web Service might require that the client application present a SAML authorization token issued by a trusted authorization authority for the Web Service to be able to access sensitive data. If this element is part of <Confidentiality>
, then it specifies the token used for encryption.
The specific type of the security token is determined by the value of its TokenType
attribute, as well as its parent element.
By default, a security token for a secure conversation has a lifetime of 12 hours. To change this default value, add a <Claims>
child element that itself has a <TokenLifeTime>
child element, as described in Claims.
|
You should never include this security assertion in your custom security policy file; it is described in this section for informational purposes only. The WebLogic Web Services runtime automatically inserts this security assertion in the security policy file that is published in the dynamic WSDL of the deployed Web Service. The security assertion specifies WebLogic Server’s public key; the client application that invokes the Web Service then uses it to encrypt the parts of the SOAP message specified by the security policy file. The Web Services runtime then uses the server’s private key to decrypt the message.
Specifies the cryptographic algorithm used to compute the digital signature.
|
Specifies the list of supported security tokens that can be used for authentication, encryption, or digital signatures, depending on the parent element.
This element has no attributes.
Encapsulates information about which targets of a SOAP message are to be encrypted or signed, depending on the parent element.
The child elements also depend on the parent element; for example, when used in <Integrity>
, you can specify the <DigestAlgorithm>
, <Transform>
, and <MessageParts>
child elements. When used in <Confidentiality>
, you can specify the <EncryptionAlgorithm>
, <Transform>
, and <MessageParts>
child elements.
You can have one or more targets.
Specifies the lifetime, in seconds, of the security context token or derived key token. This element is used only when configuring WS-SecurityConversation security contexts.
The default lifetime of a security token is 12 hours (43,200 seconds).
This element has no attributes.
Specifies the URI of a transformation algorithm that is applied to the parts of the SOAP message that are signed or encrypted, depending on the parent element.
You can specify zero or more transforms, which are executed in the order they appear in the <Target>
parent element.
For detailed information about these transform algorithms, see XML-Signature Syntax and Processing. |
Specifies that whether the plaintext or the digest of the password appear in the SOAP messages. This element is used only with username tokens.
|
When you use either the Integrity
or Confidentiality
assertion in your security policy file, you are required to also use the Target
child assertion to specify the targets of the SOAP message to digitally sign or encrypt. The Target
assertion in turn requires that you use the MessageParts
child assertion to specify the actual parts of the SOAP message that should be digitally signed or encrypted. This section describes various ways to use the MessageParts
assertion.
See Example of a Policy File With Security Elements for an example of a complete security policy file that uses the MessageParts
assertion within a Confidentiality
assertion. The example shows how to specify that the entire body, as well as the Assertion
security header, of the SOAP messages should be encrypted.
You use the Dialect
attribute of MessageParts
to specify the dialect used to identify the SOAP message parts. The WebLogic Web Services security runtime supports the following three dialects:
Be sure that you specify a message part that actually exists in the SOAP messages that result from a client invoke of a message-secured Web Service. If the Web Services security runtime encounters an inbound SOAP message that does not include a part that the security policy file indicates should be signed or encrypted, then the Web Services security runtime returns an error and the invoke fails. The only exception is if you use the WebLogic-specific wls:SystemHeader()
function to specify that any WebLogic-specific SOAP header in a SOAP message should be signed or encrypted; if the Web Services security runtime does not find any of these headers in the SOAP message, the runtime simply continues with the invoke and does not return an error.
This dialect enables you to use an XPath 1.0 expression to specify the part of the SOAP message that should be signed or encrypted. The value of the Dialect
attribute to enable this dialect is http://www.w3.org/TR/1999/REC-xpath-19991116
.
You typically want to specify that the parts of a SOAP message that should be encrypted or digitally signed are child elements of either the soap:Body
or soap:Header
elements. For this reason, BEA provides the following two functions that take as parameters an XPath expression:
You can also use a plain XPath expression as the content of the MessageParts
assertion, without one of the preceding functions. In this case, the root element from which the XPath expression starts searching is soap:Envelope
.
The following example specifies that the AddInt
part, with namespace prefix n1
and located in the SOAP message body, should be signed or encrypted, depending on whether the parent Target
parent is a child of Integrity
or Confidentiality
assertion:
<wssp:MessageParts
Dialect="http://www.w3.org/TR/1999/REC-xpath-19991116"
xmlns:n1="http://www.bea.com/foo">
wsp:GetBody(./n1:AddInt)
</wssp:MessageParts>
The preceding example shows that you should define the namespace of a part specified in the XPath expression (n1
in the example) as an attribute to the MessageParts
assertion, if you have not already defined the namespace elsewhere in the security policy file.
The following example is similar, except that the part that will be signed or encrypted is wsu:Timestamp
, which is a child element of wsee:Security
and is located in the SOAP message header:
<wssp:MessageParts
Dialect="http://www.w3.org/TR/1999/REC-xpath-19991116">
wsp:GetHeader(./wsse:Security/wsu:Timestamp)
</wssp:MessageParts>
In the preceding example, it is assumed that the wsee:
and wse:
namespaces have been defined elsewhere in the security policy file.
Note: | It is beyond the scope of this document to describe how to create XPath expressions. For detailed information, see the XML Path Language (XPath), Version 1.0, specification. |
The XPath dialect described in XPath 1.0 is flexible enough for you to pinpoint any part of the SOAP message that should be encrypted or signed. However, sometimes you might just want to specify that the entire SOAP message body be signed or encrypted. In this case using an XPath expression is unduly complicated, so BEA recommends you use the dialect that pre-defines the wsp:Body()
function for just this purpose, as shown in the following example:
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
wsp:Body()
</wssp:MessageParts>
BEA provides its own dialect that pre-defines a set of functions to easily specify that some or all of the WebLogic security or system headers should be signed or encrypted. Although you can achieve the same goal using the XPath dialect, it is much simpler to use this WebLogic dialect. You enable this dialect by setting the Dialect
attribute to http://www.bea.com/wls90/security/policy/wsee#part
.
The wls:SystemHeaders()
function specifies that all of the WebLogic-specific headers should be signed or encrypted. These headers are used internally by the WebLogic Web Services runtime for various features, such as reliable messaging and addressing. The headers are:
The following example shows how to use the wls:SystemHeader()
function:
<wssp:MessageParts
Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
wls:SystemHeaders()
</wssp:MessageParts>
Use the wls:SecurityHeader(
header
)
function to specify a particular part in the security header that should be signed or encrypted, as shown in the following example:
<wssp:MessageParts
Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
wls:SecurityHeader(wsa:From)
</wssp:MessageParts>
In the example, only the wsa:From
security header is signed or encrypted. You can specify any of the preceding list of headers to the wls:SecurityHeader()
function.
![]() ![]() ![]() |