Table of Contents Previous Next PDF


Oracle SALT WS-SecurityPolicy Assertion 1.0 Reference
Oracle SALT WS-SecurityPolicy Assertion 1.0 Reference
The following sections provide SALT WS-SecurityPolicy (WSSP) 1.0 assertion reference information:
Overview
SALT WSSP 1.0 Policy Assertion Format
SALT WSSP 1.0 Assertion File Example
SALT WSSP 1.0 Policy Templates
SALT WSSP 1.0 Assertion Element Description
Overview
Oracle SALT implements part of WS-Security protocol version 1.0 for inbound services. Authentication with UsernameToken and X509v3Token are supported. WS-SecurityPolicy 1.0 assertions are used in WSDL definition to describe how the authentication is carried out. The WS-SecuirtyPolicy1.0 specification (2002) is supported in order to ensure the interoperability with Oracle WebLogic 9.x.
Below are all Oracle SALT supported WS-SecurityPolicy 1.0 assertions:
SecurityToken Assertions:
UsernameToken Assertion and X509Token Assertion
Integrity Assertion
Identity Assertion
There are some extension assertions used in WebLogic 9.x, SALT only implements a subset of them. Integrity Assertion is only used when using X509v3 token for authentication. And the only message part can be specified for signature is the whole SOAP Body.
SALT WSSP 1.0 Policy Assertion Format
Figure F‑1 shows a graphical representation of the Oracle SALT supported WS-SecurityPolicy 1.0 Assertion format in a WS-Policy file.
Figure F‑1 SALT Supported WS-SecurityPolicy 1.0 Assertion Format
SALT WSSP 1.0 Assertion File Example
Listing F‑1 demonstrates how to apply Username token authentication with WSSP 1.0 Assertions.
Listing F‑1 WSSP 1.0 Policy File Sample
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:wssp="http://www.bea.com/WLS/security/policy"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wssp:Identity>
    <wssp:SupportedTokens>
      <wssp:SecurityToken             TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
        <wssp:Claims>
          <wssp:UsePassword>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText</wssp:UsePassword>
        </wssp:Claims>
      </wssp:SecurityToken>
    </wssp:SupportedTokens>
  </wssp:Identity>
</wsp:Policy>
 
SALT WSSP 1.0 Policy Templates
Oracle SALT provides a number of WS-SecurityPolicy 1.0 template files you can use for most typical Web Service applications. These policy files are located in directory TUXDIR/udataobj/salt/policy.
 
SALT WSSP 1.0 Policy Template Files
Policy File
Description
wssp1.0-UsernameToken-plain-auth.xml
Username token with plain text password is sent in the request for authentication.
wssp1.0-x509v3-auth.xml
X509 V3 binary token (certificate) is sent in the request for authentication. The request is optionally signed with some message parts in the requests.
wssp1.0-signbody.xml
The whole SOAP body is signed.
These template files can be referenced directly in the WSDF files with location value format:
salt:<template_file_name>
For instance, if you want to configure signbody, you can specify the followings in your WSDF file:
<Policy location=”salt:wssp1.0-signbody.xml” />
SALT WSSP 1.0 Assertion Element Description
Oracle SALT implements part of WebLogic 9.x / 10 WS-SecurityPolicy 1.0 assertions. For a complete list of WSSP 1.0 assertions supported by WebLogic, see http://edocs.bea.com/wls/docs100/webserv_ref/sec_assert.html
<CanonicalizationAlgorithm>
Specifies the algorithm used to canonicalize the SOAP message elements that are digitally signed.
 
<CanonicalizationAlgorithm> Attribute
Attribute
Description
Required?
URI
The algorithm used to canonicalize the SOAP message being signed.
SALT supports only the following canonicalization algorithm:
https://www.w3.org/TR/xml-exc-c14n/
Yes
 
<Claims>
Specifies additional metadata information that is associated with a particular type of security token. Depending on the type of security token, you must specify the following child elements:
For username tokens, you must specify a <UsePassword> child element to specify what kind of the password will be used for in username authentication.
This element does not have any attributes.
<DigestAlgorithm>
Specifies the digest algorithm that is used when digitally signing the specified parts of a SOAP message. Use the <MessageParts> sibling element to specify the parts of the SOAP message you want to digitally sign.
 
<DigestAlgorithm> Attributes
Attribute
Description
Required?
URI
The digest algorithm that is used when digitally signing the specified parts of a SOAP message.
SALT supports only the following digest algorithm:
http://www.w3.org/2000/09/xmldsig#sha1
Yes
<Identity>
Specifies the type of security tokens (username or X.509) that are supported for authentication.
This element has no attributes.
<Integrity>
Specifies that part or all of the SOAP message must be digitally signed, as well as the algorithms and keys that are used to sign the SOAP message.
For example, a Web Service may require that the entire body of the SOAP message must be digitally signed and only algorithms using SHA1 and an RSA key are accepted.
 
<Integrity> Attributes
Attribute
Description
Required?
SignToken
Specifies whether the security token, specified using the <SecurityToken> child element of <Integrity>, should also be digitally signed, in addition to the specified parts of the SOAP message.
The valid values for this attribute are true and false. The default values is true.
No
<MessageParts>
Specifies the parts of the SOAP message that should be signed. SALT only supports certain pre-defined message part function, wsp:Body(), i.e. the entire SOAP body to be digitally signed.
The MessageParts assertion is always a child of a <Target> assertion. The <Target> assertion can be a child of an Integrity assertion (to specify how the SOAP message is digitally signed).
See ?$paratext>? for more information about how to specify the parts of the SOAP message that should be signed.
 
<MessageParts> Attributes
Attribute
Description
Required?
Dialect
Identifies the dialect used to identity the parts of the SOAP message that should be signed.
SALT only supports the following value:
http://schemas.xmlsoap.org/2002/12/wsse#part
Convenience dialect used to specify parts of SOAP message that should be signed.
Yes
<SecurityToken>
Specifies the security token that is supported for authentication or digital signatures, depending on the parent element.
If this element is defined in the <Identity> parent element, then is specifies that a client application, when invoking the Web Service, must attach a security token to the SOAP request. For example, a Web Service might require that the client application present a Username token for the Web Service to be able to access Tuxedo service. If this element is part of <Integrity>, then it specifies the token used for digital signature.
The specific type of the security token is determined by the value of its TokenType attribute, as well as its parent element.
 
<SecurityToken> Attributes
Attribute
Description
Required?
IncludeInMessage
Specifies whether to include the token in the SOAP message.
Valid values are true or false.
The default value of this attribute is true when used in the <Integrity> assertion.
The value of this attribute is always true when used in the <Identity> assertion, even if you explicitly set it to false.
No
TokenType
Specifies the type of security token. Valid values are:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 (To specify a binary X.509 v3 token)
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken (To specify a username token)
Yes
<SignatureAlgorithm>
Specifies the cryptographic algorithm used to compute the digital signature.
 
<SignatureAlgorithm> Attributes
Attribute
Description
Required?
URI
Specifies the cryptographic algorithm used to compute the signature.
Note:
Be sure that you specify an algorithm that is compatible with the certificates you are using in your enterprise.
Valid values are:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
http://www.w3.org/2000/09/xmldsig#dsa-sha1
Yes
<SupportedTokens>
Specifies the list of supported security tokens that can be used for authentication, or digital signatures, depending on the parent element.
This element has no attributes.
<Target>
Encapsulates information about which targets of a SOAP message are to be signed. When used in <Integrity>, you can specify the <DigestAlgorithm>, <Transform>, and <MessageParts> child elements.
Ideally, you can have one or more targets. But at most one target is enough for SALT, since SALT only supports the entire SOAP body to be configured for digital signature.
This element has no attributes.
<Transform>
Specifies the URI of a transformation algorithm that is applied to the parts of the SOAP message that are signed. Only can exist in a child element of the <Integrity> element.
You can specify zero or more transforms, which are executed in the order they appear in the <Target> parent element.
 
<Transform> Attributes
Attribute
Description
Required?
URI
Specifies the URI of the transformation algorithm.
SALT only supports the following transformation algorithm:
http://www.w3.org/2000/09/xmldsig#base64 (Base64 decoding transforms)
For detailed information about these transform algorithms, see XML-Signature Syntax and Processing.
Yes
<UsePassword>
Specifies that whether the plaintext or the digest of the password appear in the SOAP messages. This element is used only with username tokens. In SALT, it must be specified as plaintext.
 
<UsePassword> Attributes
Attribute
Description
Required?
Type
Specifies the type of password. SALT only supports cleartext passwords, the value URI is:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
Specifies that cleartext passwords should be used in the SOAP messages.
Note:
For backward compatibility reasons, the preceding URI can also be specified with an initial "www." For example:
http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
Yes
Usage of MessageParts
When you use the <Integrity> assertion in your WS-Policy file, you are required to also use the Target child assertion to specify the targets of the SOAP message to digitally sign. The <Target> assertion in turn requires that you use the <MessageParts> child assertion to specify the actual parts of the SOAP message that should be digitally signed. You can use the Dialect attribute of <MessageParts> to specify the dialect used to identify the SOAP message parts. Oracle SALT Web services security module supports only the following dialect:
Pre-Defined Message Part Selection Function
Be sure that you specify a message part that actually exists in the SOAP messages that result from a client invoke of a message-secured Web Service. If the Web Services security module encounters an inbound SOAP message that does not include a part that the WS-Policy file indicates should be signed or encrypted, then the Web Services security module returns an error and the invoke fails.
Pre-Defined Message Part Selection Function
This section shows SALT supported functions that are used with the "http://schemas.xmlsoap.org/2002/12/wsse#part" dialect for selecting parts of a message:
 
SALT Supported Message Part Selection Function
Function
Description
wsp:Body()
Specifies the entire SOAP message body to be selected as one part
You can only specify the entire SOAP body to be signed. It is recommended that you use the dialect that pre-defines the wsp:Body() function for this purpose.
Listing F‑2 shows a wsp:Body() function example
Listing F‑2 wsp:Body() Function
<wssp:MessageParts
    Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
      wsp:Body()
</wssp:MessageParts>
 
 

Copyright © 1994, 2017, Oracle and/or its affiliates. All rights reserved.