Table of Contents Previous Next PDF


Oracle SALT WS-SecurityPolicy Assertion 1.2 Reference
Oracle SALT WS-SecurityPolicy Assertion 1.2 Reference
The following sections provide SALT WSSP1.2 reference information:
Overview
Oracle SALT WSSP 1.2 Policy File Example
Oracle SALT WSSP 1.2 Policy Templates
Oracle SALT WSSP1.2 Assertion Description
Overview
Oracle SALT implements part of WS-Security protocol version 1.1 for inbound services. Authentication with UsernameToken and X509v3Token are supported. To describe how the authentication is carried out, WS-SecurityPolicy is used in WSDL definition.
In order to communicate with Oracle WebLogic Release 10 via WS-Security 1.1, SALT implements the counterparts of WS-SecurityPolicy (WSSP) 1.2 supported by WebLogic 10. But the supported WSSP 1.2 assertions are limited as follows:
Protection Assertions
Integrity Assertion
<sp:SignedParts> Assertion (Limited support)
Token Assertions:
<sp:UsernameToken> Assertion (Limited support)
<sp:X509Token> Assertion (Limited support)
Security Binding Assertions:
AsysmmetricBinding Assertion (Limited support)
<sp:TransportBinding > Assertion (Limited support)
Supporting Tokens Assertions:
SupportingTokens Assertion (Limited support)
For more details about limitations of WS-SecurityPolicy 1.2 assertions, please refer to Oracle SALT WSSP1.2 Assertion Description.
For more information about WSSP 1.2 assertions supported by WebLogic 10, please refer to “Using WS-SecurityPolicy 1.2 Policy Files in the Oracle WebLogic Web Services Documentation.
In this document, XML namespace prefix “sp” stands for namespace URI “http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512”.
Oracle SALT WSSP 1.2 Policy File Example
Listing E‑1 demonstrates how to apply Username token authentication with WSSP 1.2 assertions.
Listing E‑1 WSSP 1.2 Policy File Sample
<!-Binding Policy -->
<wsp:Policy
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512">
  <sp:TransportBinding>
    <wsp:Policy>
      <sp:TransportToken>
        <wsp:Policy>
          <sp:HttpToken/>
        </wsp:Policy>
      </sp:TransportToken>
      <sp:AlgorithmSuite>
        <wsp:Policy>
          <sp:Basic256/>
        </wsp:Policy>
      </sp:AlgorithmSuite>
      <sp:Layout>
        <wsp:Policy>
          <sp:Lax/>
        </wsp:Policy>
      </sp:Layout>
      <sp:IncludeTimestamp/>
    </wsp:Policy>
  </sp:TransportBinding>
  <sp:SupportingTokens>
    <wsp:Policy>
      <sp:UsernameToken
          sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
        <wsp:Policy>
          <sp:WssUsernameToken10/>
        </wsp:Policy>
      </sp:UsernameToken>
    </wsp:Policy>
  </sp:SupportingTokens>
</wsp:Policy>
 
Oracle SALT WSSP 1.2 Policy Templates
Oracle SALT provides a number of WS-SecurityPolicy 1.2 template files you can use for most typical Web Service applications. These policy files are located in directory TUXDIR/udataobj/salt/policy.
 
Oracle SALT WSSP 1.2 Policy Template Files
Policy File
Description
wssp1.2-UsernameToken-plain-auth.xml
Username token with plain text password is sent in the request for authentication.
wssp1.2-x509v3-auth.xml
X509 V3 binary token (certificate) is sent in the request for authentication. The request is optionally signed with some message parts in the requests.
wssp1.2-signbody.xml
The entire SOAP body is signed.
These template files can be referenced directly in the WSDF files with location value format:
salt:<template_file_name>
For example, if you want to configure signbody, you can specify the followings in your WSDF file:
<Policy location=”salt:wssp1.2-signbody.xml” />
Oracle SALT WSSP1.2 Assertion Description
Below are all Oracle SALT supported WSSP 1.2 assertions and limitations for each one. Customers should obey the limitation when writing their own customized WSSP 1.2 policy files. Oracle SALT does not check any customized WSSP 1.2 policy file against the limitation rules. If something claimed in the customized WSSP 1.2 policy file cannot be supported by Oracle SALT, web service client program may result run time errors.
WS-SecurityPolicy 1.2 assertions not listed below are definitely not supported by Oracle SALT.
<sp:SignedParts>
Specifies the parts of a SOAP message to be digitally signed. Oracle SALT only supports the entire SOAP body to be signed.
Limitations
Child element <sp:Body> is supported for configuring the entire SOAP body to be signed.
Child element <sp:Header> is not yet supported.
No nesting WSSP 1.2 assertion for this assertion.
<sp:UsernameToken>
Specifies username token to be included in the SOAP message. Oracle SALT only supports username token with clear text password defined in WS-Security Username Token Profile 1.0. <UsernameToken> assertion must be used as a nested assertion of Security Binding Assertions and Supporting Token Assertions.
Limitations
Supported Nesting Assertions
<sp:WssUsernameToken10>
Not yet supported Nesting Assertions
<sp:WssUsernameToken11>
<sp:NoPassword>
<sp:HashPassword>
<sp:X509Token>
Specifies a binary security token carrying an X509 token to be included in the SOAP message. <X509Token> assertion must be used as a nested assertion of Security Binding Assertions and Supporting Token Assertions.
Limitations
Supported Nesting Assertions
<sp:WssX509V3Token10>
<sp:WssX509V3Token11>
Non-Supported Nesting Assertions
<sp:WssX509Pkcs7Token10>
<sp:WssX509Pkcs7Token11>
<sp:WssX509PkiPathV1Token10>
<sp:WssX509PkiPathV1Token11>
<sp:WssX509V1Token10>
<sp:WssX509V1Token11>
<sp:AlgorithmSuite>
Specifies the algorithm suite to be used for performing cryptographic operations with security tokens. <AlgorithmSuite> Assertion must be used as a nested assertion of Security Binding Assertions.
Limitations
Supported Nesting Algorithm Suite
<sp:Basic256>
Non-Supported Nesting Algorithm Suites
All the other Algorithm Suite listed in the WS-Security Policy 1.2 specification.
<sp:Layout>
Specifies the layout rules when adding items to the security header. <Layout> Assertion must be used as a nested assertion of Security Binding Assertions.
Limitations
Supported Nesting Layout rules
<sp:Lax>
Non-Supported Nesting Layout rules
<sp:Strict>
<sp:LaxTimestampFirst>
<sp:LaxTimestampLast>
<sp:TransportBinding >
Specifies the message protection and security correlation is provided using the means of the transport. The <TransportBinding> token is used mainly for carrying isolated Username Token in the SOAP message.
Limitations
Supported Nesting Assertions
<sp:TransportToken>
<sp:AlgorithmSuite>
<sp:Layout>
<sp:IncludeTimestamp>
Nesting Assertion <sp:TransportToken> only supports <sp:HttpToken>
Listing E‑2 shows an Oracle SALT supported TransportToken Assertion example.
Listing E‑2 Supported TransportToken Assertions
  <sp:TransportBinding>
    <wsp:Policy>
      <sp:TransportToken>
        <wsp:Policy>
          <sp:HttpToken />
        </wsp:Policy>
      </sp:TransportToken>
      <sp:Algorithm>
        <wsp:Policy>
          <sp:Basic256>
        </wsp:Policy>
      </sp:Algorithm>
    </wsp:Policy>
  </sp:TransportBinding>
 
<sp:AsymmetricBinding>
Specifies the message protection is provided by means defined in WS-Security SOAP Message Security, and the request and response message can use distinct keys for encryption and signature, because of their different lifecycles. The <AsymmetricBinding> Assertion is used mainly for carrying X.509 binary security token in the SOAP request messages for inbound calls.
Limitations
Supported Nesting Assertions
<sp:InitiatorToken>
<sp:RecipientToken>
<sp:AlgorithmSuite>
<sp:Layout>
<sp:IncludeTimestamp>
<sp:ProtectTokens>
<sp:OnlySignEntireHeadersAndBody>
Non-supported Nesting Assertions
<sp:InitiatorSignatureToken>
<sp:InitiatorEncryptToken>
<sp:RecipientSignatureToken>
<sp:RecipientEncryptToken>
<sp:EncryptBeforeSigning>
<sp:EncryptSignature>
<sp:InitiatorToken> must be associated with <sp:X509Token> and the Token inclusion type must be “AlwaysToRecipient“
<sp:RecipientToken> must be associated with <sp:X509Token> and the Token inclusion type must be “Never”
Listing E‑3 shows an Oracle SALT supported AsymmetricBinding assertion example. This assertion indicates the X.509 V3 binary token that defined in WS-Security X.509 Token Profile 1.1 specification is used for digital signature for the SOAP request messages and the X.509 token is always included in the SOAP message security header:
Listing E‑3 Supported AsymmetricBinding Assertion
  <sp:AsymmetricBinding>
    <wsp:Policy>
      <sp:InitiatorToken>
        <wsp:Policy>
          <sp:X509Token               sp:IncludeToken=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient”>
            <wsp:Policy>
              <sp:WssX509V3Token11 />
            </wsp:Policy>
          </sp:X509Token>
        </wsp:Policy>
      </sp:InitiatorToken>
      <sp:RecipientToken>
        <wsp:Policy>
          <sp:X509Token               sp:IncludeToken=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/Never”>
            <wsp:Policy>
              <sp:WssX509V3Token11 />
            </wsp:Policy>
          </sp:X509Token>
        </wsp:Policy>
      </sp:RecipientToken>
      <sp:Algorithm>
        <wsp:Policy>
          <sp:Basic256>
        </wsp:Policy>
      </sp:Algorithm>
      <sp:Layout>
        <wsp:Policy>
          <sp:Lax>
        </wsp:Policy>
      </sp:Layout>
      <sp:IncludeTimestamp />
    </wsp:Policy>
  </sp:AsymmetricBinding>
 
<sp:SupportingToken>
Specifies security tokens that are included in the security header and may optionally include additional message parts to sign and/or encrypt. For Oracle SALT, <SupportingToken> Assertion is used mainly to include Username Token in the security header when <sp:AsymmetricBinding> Assertion is used.
Limitations
Supported Nesting Assertions
<sp:UsernameToken>
<sp:X509Token>
Not-non Supported Nesting Assertions
<sp:SignedParts>
<sp:SignedElements
<sp:EncryptedParts>
<sp:EncryptedElements>
All supported token assertions must be defined with Token inclusion type “AlwaysToRecipient”.
Listing E‑4 shows an Oracle SALT supported SupportingToken assertion example. This assertion indicates the Username token is always included in SOAP request messages:
Listing E‑4 Supported SupportingToken Assertion
  <sp:SupportingTokens>
    <wsp:Policy>
      <sp:UsernameToken           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
        <wsp:Policy>
          <sp:WssUsernameToken10/>
        </wsp:Policy>
      </sp:UsernameToken>
    </wsp:Policy>
  </sp:SupportingTokens>
 
 

Copyright © 1994, 2017, Oracle and/or its affiliates. All rights reserved.