This appendix provides the XML schema for reference when creating a WS-Policy file that contains Web service assertions. Sections include:
The following graphic describes the element hierarchy of the assertions in the WS-Policy file.
Figure D-1 Element Hierarchy of Custom Assertion
The following sections describe each element and their subelements in detail:
The following sections describe the elements in the assertion in more detail. The main elements are described up front. The subelements are described following the main elements and are organized in alphabetical order.
Groups nested policy assertions.
The following table summarizes the WS-Policy attributes, including the Oracle extensions.
Table D-1 Oracle Extensions to WS-Policy Attributes
Attribute | Description |
---|---|
Name |
Name of the policy. |
attachTo |
Policy subjects to which the policy can be attached. Valid values include:binding.client, binding.server, binding.any. |
category |
Category of the policy. Valid values include: security, mtom, wsrm, addressing, and management. |
description |
Description of the policy. |
displayName |
Name displayed in the user interface. |
localOptimization |
Flag that specifies whether local optimization is enabled. Oracle WSM supports a SOA local optimization feature for composite-to-composite invocations in which the reference of one composite specifies a Web service binding to a second composite. Valid values include:
|
status |
Status of the policy reference. Valid values include: enabled and disabled. |
smartDigest |
Smart Digest. |
oraSmartDigest |
Smart Digest. |
subjectCount |
Number of subjects to which the policy is attached currently. |
versionCreator |
Author of the current version. |
versionNumber |
Number of the current version. |
versionTime |
Time the current version was creatd. |
id |
Policy ID. |
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy" xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Name="oracle/wss11_x509_token_with_message_protection_client_policy" orawsp:attachTo="binding.client" orawsp:category="security" orawsp:description="i18n:oracle.wsm.resources.policydescription.PolicyDescription Bundle_oracle/wss11_x509_token_with_message_protection_client_policy_PolyDescKey" orawsp:displayName="i18n:oracle.wsm.resources.policydescription.PolicyDescription Bundle_oracle/wss11_x509_token_with_message_protection_client_policy_PolyDispNameKey" orawsp:local-optimization="check-identity" orawsp:oraSmartDigest="935231872" orawsp:smartDigest="201244603" orawsp:status="enabled" orawsp:versionCreator="mdsInternal" orawsp:versionNumber="1" orawsp:versionTime="1238006529607" wsu:Id="wss11_x509_token_with_message_protection_client_policy"> ... </wsp:Policy>
Optional element that defines an OR group. For more information about OR groups, see "Defining Multiple Policy Alternatives (OR Groups)".
<wsp:ExactlyOne orawsp:name="Or"> <orasp:wss11-saml-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/msg-protection, security/authentication" orawsp:name="WS-Security 1.1 Saml with certificates"> <orasp:saml-token orasp:confirmation-type="sender-vouches" orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/> <orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false" orasp:is-signed="true" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:confirm-signature="true" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true" orasp:use-derived-keys="false"> ... <orasp:wss11-username-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.1 username with certificates"> <orasp:username-token orasp:add-created="false" orasp:add-nonce="false" orasp:is-encrypted="true" orasp:is-signed="true" orasp:password-type="plaintext"/> <orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false" orasp:is-signed="true" orasp:sign-key-ref-mech="thumbprint"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:confirm-signature="true" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true" orasp:use-derived-keys="false"> ... </wsp:ExactlyOne>
Main element of the assertion. Valid assertion elements include:
The following table summarizes the attributes of the <orasp:Assertion> element.
Table D-3 Attributes of <orasp:Assertion> Element
Attribute | Description |
---|---|
Optional |
Flag that specifies whether the assertion is optional or required. |
Silent |
Flag that specifies whether the assertion is advertised. If set to true, the assertion is not advertised. |
Enforced |
Flag that specifies whether the assertion is currently enabled. Valid values are true or false. |
name |
Name of the assertion. |
description |
Description of the assertion. |
category |
Category to which the assertion applies. Valid values include: security/authentication, security/msg-protection, security/authorization, security/logging, mtom, wsrm, addressing, and management. |
The <oraswsp:bindings> element defines the bindings in the assertion. This element contains the following subelement:
<orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss11SamlWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings>
The <oraswsp:Config> element defines the configuration for the assertion. This element can contain the following subelement:
The following table summarizes the attributes of the <orawsp:Config> element.
Table D-4 Attributes of <orawsp:Config> Element
Attribute | Description |
---|---|
name |
Name of the configuration. |
type |
Category to which the configuration applies. |
configType |
Configuration type. Valid values include: declarative and programmatic.
|
<orawsp:Config orawsp:configType="declarative" orawsp:name="Wss11SamlWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config>
The <oraswsp:PropertySet> element groups nested properties. This element contains the following subelement:
The <oraswsp:Property> element defines a single property. The following summarize valid properties used by the predefined assertions.
The <orawsp:Property> element can contain the following subelements:
The following table summarizes the attributes of the <orawsp:Property> element.
Table D-6 Attributes of <orawsp:Property> Element
Attribute | Description |
---|---|
name |
Name of the property. See Table D-7 for a list of property values used by the predefined assertions. |
type |
Type of the property. For example, string. |
contentType |
Specifies whether the property is required and can be overridden. Valid values include:
For information about overriding policies, see "Attaching Client Policies Permitting Overrides". |
The following table summarizes the properties used by the predefined assertions.
Table D-7 Properties Used by the Predefined Assertions
Property | Description |
---|---|
action |
Action or Web service operation for which authorization checks are performed. This value can be a comma-separated list of values. This field accepts wildcards. For example, |
BaseRetransmissionInterval |
Interval, in milliseconds, that the source endpoint waits after transmitting a message and before it retransmits the message. If the source endpoint does not receive an acknowledgement for a given message within the interval specified by this element, the source endpoint retransmits the message. The source endpoint can modify this retransmission interval at any point during the lifetime of the sequence of messages. This assertion does not alter the formulation of messages as transmitted, only the timing of their transmission. This value defaults to 3000. |
DeliveryAssurance |
Delivery assurance. Valid values include:
|
jdbc-connection-name |
JNDI reference to a JDBC data store. Valid when the StoreType is set to JDBC. This value defaults to jdbc/MessagesStore. |
InactivityTimeout |
Period of inactivity (in milliseconds) for a sequence of messages. A sequence of messages is defined as a set of messages, identified by a unique sequence number, for which a particular delivery assurance applies; typically a sequence originates from a single source endpoint. If, during the duration specified by this element, a destination endpoint has received no messages from the source endpoint, the destination endpoint may consider the sequence to have been terminated due to inactivity. The same applies to the source endpoint. This value defaults to 600000. |
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security runtime uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Can be superseded by "Using Service Identity Certification Extension". |
permission-class |
Class used for the permission-based checking. For example, |
realm |
HTTP realm. This value defaults to owsm. |
resource |
Name of the resource for which authorization checks are performed. This field accepts wildcards. For example, if the namespace of the Web service is |
role |
SOAP role. This value defaults to ultimateReceiver. |
saml.assertion.filename |
File containing SAML assertions. This value defaults to temp. |
saml.issuer.name |
Name of the issuer of the SAML token. This value defaults to www.oracle.com. |
StoreName |
Name of the message store. This value defaults to oracle. |
StoreType |
Type of message store. Valid values include:
|
user.roles.include |
SOAP roles to be included. This value defaults to false. |
The <orasp:Logging> element defines the logging policy.
The <orasp:Logging> element contains the following subelements:
<oralgp:Logging orawsp:Enforced="false" orawsp:Silent="true" orawsp:category="security/logging" orawsp:name="Log Message1"> <oralgp:msg-log> <oralgp:request>all</oralgp:request> <oralgp:response>all</oralgp:response> <oralgp:fault>all</oralgp:fault> </oralgp:msg-log> <orawsp:bindings> <orawsp:Config orawsp:name="added-from-em"/> </orawsp:bindings> </oralgp:Logging>
The <orasp:binding-authorization> element defines a simple role-based authorization for the request based on the authenticated subject at the SOAP binding level.
The <orasp:binding-authorization> element contains the following subelement:
It also contains one of the following subelements:
<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authorization" orawsp:name="J2EE services Authorization"> <orasp:denyAll/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/> </orawsp:bindings> </orasp:binding-authorization>
The <orasp:binding-permission-authorization> element defines simple permission-based authorization for the request based on the authenticated subject at the SOAP binding level.
The <orasp:binding-permission-authorization> element contains the following subelements:
<orasp:binding-permission-authorization orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authorization" orawsp:name="J2EE Permission Based Authorization"> <orasp:check-permission/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="BindingPermissionAuthzConfig"> <orawsp:PropertySet orawsp:name="perms-authz-properties"> <orawsp:Property orawsp:contentType="optional" orawsp:name="resource" orawsp:type="string"> <orawsp:DefaultValue>*</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="action" orawsp:type="string"> <orawsp:DefaultValue>*</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="permission-class" orawsp:type="string"> <orawsp:DefaultValue>oracle.wsm.security.WSFunctionPermission </orawsp:DefaultValue> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> <orawsp:guard> <orawsp:resource-match>*</orawsp:resource-match> <orawsp:action-match>*</orawsp:action-match> </orawsp:guard> </orasp:binding-permission-authorization>
The <orasp:coreid-security> element uses the credentials in the WS-Security header's binary security token to authenticate users against the Oracle Access Manager identity store.
It contains the following subelements:
<orasp:coreid-security orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authentication, security/authorization" orawsp:name="OAM Security"> <orasp:coreid-token orasp:is-encrypted="false" orasp:is-signed="false"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="CoreIdConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:coreid-security>
The <orasp:http-security> element uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store.
It contains the following subelements:
<orasp:http-security orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authentication, security/msg-protection" orawsp:name="Http over SSL Security"> <orasp:auth-header orasp:mechanism="basic"/> <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="HttpConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="realm" orawsp:type="string"> <orawsp:Value>owsm</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-security>
The <orasp:kerberos-security> element enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard.
It contains the following subelements:
<orasp:kerberos-security orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication" orawsp:name="WSS Kerberos Token"> <orasp:kerberos-token orasp:is-encrypted="false" orasp:is-signed="false" orasp:type="gss-apreq-v5"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="KerberosSecurityConfig"/> </orawsp:bindings> </orasp:kerberos-security>
The <orasp:sca-component-authorization> element defines simple role-based authorization for the request based on the authenticated subject at the SOA component level.
The <orasp:sca-component-authorization> element contains the following subelement:
It also contains one of the following subelements:
<orasp:sca-component-authorization orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authorization" orawsp:name="Fabric Component Authorization"> <orasp:denyAll/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="FabricAuthzConfig"/> </orawsp:bindings> </orasp:sca-component-authorization>
The <orasp:sca-component-permission-authorization> element provides simple permission-based authorization for the request based on the authenticated subject at the SOA component level.
The <orasp:binding-permission-authorization> element contains the following subelements:
<orasp:sca-component-permission-authorization orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authorization" orawsp:name="Fabric Component Authorization"> <orasp:check-permission/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="FabricAuthzConfig"> <orawsp:PropertySet orawsp:name="perms-authz-properties"> <orawsp:Property orawsp:contentType="optional" orawsp:name="resource" orawsp:type="string"> <orawsp:DefaultValue>*</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="action" orawsp:type="string"> <orawsp:DefaultValue>*</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="permission-class" orawsp:type="string"> <orawsp:DefaultValue> oracle.wsm.security.WSFunctionPermission</orawsp:DefaultValue> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> <orawsp:guard> <orawsp:resource-match>*</orawsp:resource-match> <orawsp:action-match>*</orawsp:action-match> </orawsp:guard> </orasp:sca-component-permission-authorization>
The <orasp:wss10-anonymous-with-certificates> element provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
It contains the following subelements:
<orasp:wss10-anonymous-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/msg-protection" orawsp:name="WS-Security 1.0 Anonymous with certificates"> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss10AnonWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss10-anonymous-with-certificates>
The <orasp:wss10-mutual-auth-with-certificates> element enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
It contains the following subelements:
<orasp:wss10-mutual-auth-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.0 Mutual Auth with certificates"> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss10AnonWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss10-mutual-auth-with-certificates>
The <orasp:wss1-saml-hok-with-certificates> element provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
It contains the following subelements:
<orasp:wss10-saml-hok-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.0 SAML Holder Of Key with certificates"> <orasp:saml-token orasp:confirmation-type="holder-of-key" orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="ski"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss10SamlHOKWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:name="keystore.recipient.alias" orawsp:type="string"> <orawsp:Value>orakey</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.issuer.name" orawsp:type="string"> <orawsp:Value>www.oracle.com</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="user.roles.include" orawsp:type="string"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.assertion.filename" orawsp:type="string"> <orawsp:Value>temp</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss10-saml-hok-with-certificates>
The <orasp:wss10-saml-token> element authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.
It contains the following subelements:
<orasp:wss10-saml-token orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication" orawsp:name="WSSecurity SAML Token"> <orasp:saml-token orasp:confirmation-type="sender-vouches" orasp:is-encrypted="false" orasp:is-signed="false" orasp:version="1.1"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="WssSamlTokenConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss10-saml-token>
The <orasp:wss10-saml-with-certificates> element enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
It contains the following subelements:
<orasp:wss10-saml-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.0 SAML with certificates"> <orasp:saml-token orasp:confirmation-type="sender-vouches" orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss10SamlWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss10-saml-with-certificates>
The <orasp:wss10-username-with-certificates> element enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
It contains the following subelements:
<orasp:wss10-username-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.0 username with certificates"> <orasp:username-token orasp:add-created="false" orasp:add-nonce="false" orasp:is-encrypted="true" orasp:is-signed="true" orasp:password-type="plaintext"/> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss10UsernameWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss10-username-with-certificates>
The <orasp:wss11-anonymous-with-certificates> element provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
It contains the following subelements:
<orasp:wss11-anonymous-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/msg-protection" orawsp:name="WS-Security 1.0 Anonymous with certificates"> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss11AnonWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss11-anonymous-with-certificates>
The <orasp:wss11-mutual-auth-with-certificates> element enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
It contains the following subelements:
<orasp:wss11-mutual-auth-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.1 Mutual Auth with certificates"> <orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false" orasp:is-signed="true" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:confirm-signature="false" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true" orasp:use-derived-keys="false"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss10AnonWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:name="keystore.recipient.alias" orawsp:type="string"> <orawsp:Value>orakey</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss11-mutual-auth-with-certificates>
The <orasp:wss11-saml-with-certificates> element enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
It contains the following subelements:
<orasp:wss11-saml-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.1 SAML with certificates"> <orasp:saml-token orasp:confirmation-type="sender-vouches" orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss11SamlWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss11-saml-with-certificates>
The <orasp:wss11-username-with-certificates> element enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
It contains the following subelements:
<orasp:wss11-username-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.1 username with certificates"> <orasp:username-token orasp:add-created="false" orasp:add-nonce="false" orasp:is-encrypted="true" orasp:is-signed="true" orasp:password-type="plaintext"/> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss11UsernameWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss11-username-with-certificates>
The <orasp:wss-saml-token-bearer-over-ssl> element authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.
It contains the following subelements:
<orasp:wss-saml-token-bearer-over-ssl orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WSSecurity Saml Token With Confirmation method Bearer Over SSL "> <orasp:saml-token orasp:confirmation-type="bearer" orasp:is-encrypted="false" orasp:is-signed="false" orasp:version="1.1"/> <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="WssSamlTokenBearerOverSSLConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.issuer.name" orawsp:type="string"> <orawsp:Value>www.oracle.com</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="user.roles.include" orawsp:type="string"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss-saml-token-bearer-over-ssl>
The <orasp:wss-saml-token-over-ssl> element enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
It contains the following subelements:
<orasp:wss-saml-token-over-ssl orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WSSecurity SAML Token Over SSL"> <orasp:saml-token orasp:confirmation-type="sender-vouches" orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/> <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="true"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="WssSamlTokenOverSSLConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.issuer.name" orawsp:type="string"> <orawsp:Value>www.oracle.com</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="user.roles.include" orawsp:type="string"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss-saml-token-over-ssl>
The <orasp:wss-username-token> element enforces authentication with username and password credentials in the WS-Security UsernameToken SOAP header.
It contains the following subelements:
<orasp:wss-username-token orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication" orawsp:name="WSSecurity UserName Token"> <orasp:username-token orasp:add-created="false" orasp:add-nonce="false" orasp:is-encrypted="true" orasp:is-signed="true" orasp:password-type="plaintext"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="WssUsernameTokenConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss-username-token>
The <orasp:wss-username-token-over-ssl> element uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the Oracle Platform Security Services configured identity store.
It contains the following subelements:
<orasp:wss-username-token-over-ssl orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WSSecurity UserName Token Over SSL"> <orasp:username-token orasp:add-created="true" orasp:add-nonce="true" orasp:is-encrypted="true" orasp:is-signed="true" orasp:password-type="plaintext"/> <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="WssUsernameTokenOverSSLConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss-username-token-over-ssl>
The <rm:RMAssertion> element provides support for version 1.0 and version 1.1 of the Web Services Reliable Messaging protocol. The version supported depends on the XML schema namespace value used:
WS-ReliableMessaging 1.1: http://docs.oasis-open.org/ws-rx/wsrmp/200702
WS-ReliableMessaging 1.0: http://schemas.xmlsoap.org/ws/2005/02/rm/policy
This policy can be attached to any SOAP-based client or endpoint. Full support for this feature may require additional programming.
The <rm:RMAssertion> element contains the following subelement:
<rm:RMAssertion xmlns:rm="http://schemas.xmlsoap.org/ws/2005/02/rm/policy" orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="wsrm" orawsp:description="i18n:oracle.wsm.resources.policydescription.PolicyDescriptionBundle_oracle/wsrm10_policy_RMAssertion_AssertionDescKey" orawsp:name="RM 1.0"> <wsp:Policy/> <orawsp:bindings> <orawsp:Config orawsp:name="RMConfig"> <orawsp:PropertySet orawsp:name="standard-wsrm-properties"> <orawsp:Property orawsp:name="DeliveryAssurance" orawsp:type="string"> <orawsp:Description>Delivery Assurance. Possible values (case-insensitive) are InOrder, AtLeastOnce, AtLeastOnceInOrder, ExactlyOnce, ExactlyOnceInOrder, AtMostOnce, AtMostOnceInOrder.</orawsp:Description> <orawsp:Value>inorder</orawsp:Value> <orawsp:DefaultValue>inorder</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:name="StoreType" orawsp:type="string"> <orawsp:Description>The type of message store used. Possible values (case-insensitive) areInMemory, JDBC.</orawsp:Description> <orawsp:Value>inmemory</orawsp:Value> <orawsp:DefaultValue>inmemory</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:name="StoreName" orawsp:type="string"> <orawsp:Description>The name of the message store. </orawsp:Description> <orawsp:Value>oracle</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="jdbc-connection-name" orawsp:type="string"> <orawsp:Description>The JNDI reference to a JDBC data source, when the store type is JDBC.</orawsp:Description> <orawsp:Value>jdbc/MessagesStore</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:name="InactivityTimeout" orawsp:type="int"> <orawsp:Description>The inactivity timeout duration, specified in milliseconds.</orawsp:Description> <orawsp:Value>600000</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:name="BaseRetransmissionInterval" orawsp:type="int"> <orawsp:Description>The base retransmission interval, specified in milliseconds.</orawsp:Description> <orawsp:Value>3000</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </rm:RMAssertion>
The <wsaw:UsingAddressing> element causes the platform to check inbound messages for the presence of WS-Addressing headers conforming to the W3C 2005 Final WS-Addressing Policy standard. In addition, it causes the platform to include a WS-Addressing header in outbound SOAP messages.
The <wsaw:UsingAddressing> element contains the following subelement:
The <wsoma:OptimizedMimeSerialization> element rejects inbound messages that are not in MTOM format and verifies that outbound messages are in MTOM format. MTOM refers to specifications http://www.w3.org/TR/2005/REC-soap12-mtom-20050125
and http://www.w3.org/Submission/2006/SUBM-soap11mtom10-20060405
for SOAP 1.2 and SOAP 1.1 bindings, respectively.
The <wsoma:OptimizedMimeSerialization> element contains the following subelement:
<wsoma:OptimizedMimeSerialization xmlns:wsoma= "http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization" orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="mtom" orawsp:name="MTOM"> <orawsp:bindings> <orawsp:Config orawsp:name="added-from-em"/> </orawsp:bindings> </wsoma:OptimizedMimeSerialization>
The <oralgp:fault> element configures logging for the fault message. Valid values include:
all—Log the entire SOAP message.
header—Log SOAP header information only.
soap_body—Log SOAP body information only.
soap_envelope—Log SOAP envelope information only.
The <oralgp:request> element configures logging for the request message. Valid values include:
all—Log the entire SOAP message.
header—Log SOAP header information only.
soap_body—Log SOAP body information only.
soap_envelope—Log SOAP envelope information only.
The <oralgp:response> element configures logging for the response message. Valid values include:
all—Log the entire SOAP message.
header—Log SOAP header information only.
soap_body—Log SOAP body information only.
soap_envelope—Log SOAP envelope information only.
The <oralgp:msg-log> element configures logging for the request, response, and fault messages. The <oralgp:msg-log> element contains the following subelements:
The <orasp:attachment> element defines the attachment information.
The <orasp:auth-header> element specifies the name of the authentication header.
The following table summarizes the attribute of the <orasp:auth-header> element.
Table D-9 Attributes of <orasp:auth-header> Element
Attribute | Description |
---|---|
mechanism |
Authentication mechanism. Valid values include:
|
The <orasp:body> element defines the message body elements that are signed and encrypted. To include the entire body, specify the body element as follows: <orasp:body/>.
The <orasp:check-permission> element specifies that permissions are to be checked.
The <orasp:coreid-token> element defines the OAM token.
The <orasp:denyAll> element denies all users with any roles.
<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authorization" orawsp:name="J2EE services Authorization"> <orasp:denyAll/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/> </orawsp:bindings> </orasp:binding-authorization>
The <orasp:element> element defines a header or body element that is signed or encrypted.
The <orassp:encrypted-elements> element defines the message body elements that are signed. This element is valid if <orasp:encrypted-parts> is not set to <orasp:body/>
The <orassp:encrypted-parts> element contains the following subelement:
The <orasp:encrypted-parts> element defines the message parts that are encrypted.
The <orasp:encrypted-parts> element contains one or more of the following subelements:
The <orasp:fault> element defines the message body elements that are signed and encrypted in the fault message. The <orasp:fault> element contains the following subelements:
The <orasp:header> element defines a header element.
The following table summarizes the attributes of the <orasp:header> element.
Table D-12 Attributes of <orasp:header> Element
Attribute | Description |
---|---|
name |
Name of the header element. The default header elements in the predefined namespace include: To, From, FaultTo, ReplyTo, MessageID, RelatesTo, and Action. |
namespace |
Namespace. The predefined namespace is as follows: http://www.w3.org/2005/08/addressing. |
The <orasp:kerberos-token> element defines the kerberos token.
The following table summarizes the attributes of the <orasp:kerberos-token> element.
Table D-13 Attributes of <orasp:kerberos-token> Element
Attribute | Description |
---|---|
is-encrypted |
Flag that specifies whether the assertion is encrypted. Valid values include true or false. |
is-signed |
Flag that specifies whether the assertion is signed. Valid values include true or false. |
type |
Type of Kerberos token. The only valid value is gss-apreq-v5 (Kerberos Version 5 GSS-API). |
The <orassp:msg-security> element defines message security for the policy. You define the body elements that are signed and encrypted for the request, response, and fault.
The <orasp:msg-security> element contains the following subelements:
The following table summarizes the attributes of the <orasp:msg-security> element.
Table D-14 Attributes of <orasp:msg-security> Element
Attribute | Description |
---|---|
algorithm-suite |
Defines the algorithm suite that is used for message protection. For example, Basic128. For more information, see "Supported Algorithm Suites". |
confirm-signature |
Flag that specifies whether to send a signature confirmation back to the client. Valid values inlcude true or false. |
encrypt-signature |
Flag that specifies whether to send a encryption confirmation back to the client. Valid values inlcude true or false. |
include-timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
sign-then-encyrpt |
Flag that specifies whether to sign the message before encrypting the message. |
use-derived-keys |
Flag that specifies whether to use derived keys. |
<orasp:msg-security orasp:algorithm-suite="Basic128" orasp:confirm-signature="false" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true" orasp:use-derived-keys="false"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security>
The <orasp:permitAll> element permits all users with any roles.
<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authorization" orawsp:name="J2EE services Authorization"> <orasp:permitAll/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/> </orawsp:bindings> </orasp:binding-authorization>
The <orasp:request> element defines the message body elements that are signed and encrypted in the request message. The <orasp:request> element contains the following subelements:
The <orasp:require-tls> element specifies whether two-way authentication is required.
The following table summarizes the attributes of the <orasp:require-tls> element.
Table D-15 Attributes of <orawsp:require-tls> Element
Attribute | Description |
---|---|
include-timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
mutual-auth |
Flag that specifies whether two-way authentication is required. Valid values include true or false. |
The <orawsp:resource-match> element specifies the name of the resource for which authorization checks are performed. This field accepts wildcards.
For example, if the namespace of the Web service is http://project11
and the service name is CreditValidation
, the resource name is http://project11/CreditValidation
.
<orawsp:guard> <orawsp:resource-match> http://project11/CreditValidation </orawsp:resource-match> <orawsp:action-match>validate,amountAvailable</orawsp:action-match> </orawsp:guard>
<orawsp:guard> <orawsp:resource-match>*</orawsp:resource-match> <orawsp:action-match>validate,amountAvailable</orawsp:action-match> </orawsp:guard>
The <orassp:response> element defines the message body elements that are signed and encrypted in the response message. The <oraswsp:response> element contains the following subelements:
The <orasp:role> element defines the roles that are permitted access.
<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authorization" orawsp:description="" orawsp:name="J2EE services Authorization"> <orasp:role orasp:name="Monitors"/> <orasp:role orasp:name="AdminChannelUsers"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/> </orawsp:bindings> </orasp:binding-authorization>
The <orasp:saml-token> element configures the SAML token.
The following table summarizes the attributes of the <orasp:saml-token> element.
Table D-17 Attributes of <orasp:saml-token> Element
Attribute | Description |
---|---|
confirmation-type |
Confirmation type. Valid values include: sender-vouches and holder-of-key.
|
is-encrypted |
Flag that specifies whether the assertion is encrypted. Valid values include true or false. |
is-signed |
Flag that specifies whether the assertion is signed. Valid values include true or false. |
version |
SAML version. Valid values include: 1.1. |
The <orassp:signed-elements> element defines the message body elements that are signed. This element is valid if <orasp:signed-parts> is not set to <orasp:body/>
The <orassp:signed-elements> element contains the following subelement:
The <orasp:signed-parts> element defines the message parts that are signed.
The <orasp:signed-parts> element contains one or more of the following subelements:
The <orasp:username-token> element configures the SAML token.
The following table summarizes the attributes of the <orasp:username-token> element.
Table D-18 Attributes of <orasp:username-token> Element
Attribute | Description |
---|---|
add-created |
Flag that specifies whether a time stamp for the creation of the username token is required. Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate. |
add-nonce |
Flag that specifies whether a nonce must be included with the username to prevent replay attacks. Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate. |
is-encrypted |
Flag that specifies whether the username is encrypted. Valid values include true or false. |
is-signed |
Flag that specifies whether the username is signed. Valid values include true or false. |
password-type |
Type of password required. Valid values are:
|
The <orasp:x509-token> element defines the x.509 digital certificate.
The following table summarizes the attributes of the <orasp:x509-token> element.
Table D-19 Attributes of <orasp:x509-token> Element
Attribute | Description |
---|---|
sign-key-ref-mech |
Mechanism used when signing the request. Valid values include:
|
enc-key-ref-mech |
Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above. |
rcpt-sign-key-ref-mech |
Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
rcpt-enc-key-ref-mech |
Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
is-encrypted |
Flag that specifies whether the assertion is encrypted. Valid values include true or false. |
is-signed |
Flag that specifies whether the assertion is signed. Valid values include true or false. |
The <orawsp:resource-match> element specifies the action or Web service operation for which authorization checks are performed. This value can be a comma-separated list of values. This field accepts wildcards.
<orawsp:guard> <orawsp:resource-match> http://project11/CreditValidation </orawsp:resource-match> <orawsp:action-match>validate,amountAvailable</orawsp:action-match> </orawsp:guard>
<orawsp:guard> <orawsp:resource-match>*</orawsp:resource-match> <orawsp:action-match>validate,amountAvailable</orawsp:action-match> </orawsp:guard>
The <orawsp:guard> element defines the resource and action match values.
<orawsp:guard> <orawsp:resource-match> http://project11/CreditValidation </orawsp:resource-match> <orawsp:action-match>validate,amountAvailable</orawsp:action-match> </orawsp:guard>
<orawsp:guard> <orawsp:resource-match>*</orawsp:resource-match> <orawsp:action-match>validate,amountAvailable</orawsp:action-match> </orawsp:guard>