B Predefined Policies

This appendix summarizes the predefined policies and contains the following sections:

Oracle has been instrumental in contributing to emerging standards, in particular the specifications hosted by the OASIS Web Services Secure Exchange technical committee. Oracle has contributed to the OASIS WS-SX technical committee several practical security scenarios, a subset of which are implemented in the predefined policies.

Note:

For information about WebLogic Web service policies, see Securing WebLogic Web Services for Oracle WebLogic Server.

Security Policies

The following sections describe the security policies.

Authentication Only Policies

Table B-1 summarizes the security policies that enforce authentication only, and indicates whether the token is inserted at the transport layer or SOAP header.

oracle/wss_http_token_client_policy

The wss_http_token_client_policy includes credentials in the HTTP header for outbound client requests. This policy can be enforced on any HTTP-based client.

Note:

Currently only HTTP basic authentication is supported.

This policy contains the following policy assertion: oracle/wss_http_token_client_template. See "oracle/wss_http_token_client_template" for more information about the assertion.

For more information about configuring the policy, see "oracle/wss_http_token_client_policy".

oracle/wss_http_token_service_policy

The wss_http_token_service_policy uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. This policy can be enforced on any HTTP-based endpoint.

Note:

Currently only HTTP basic authentication is supported.

This policy contains the following policy assertion: oracle/wss_http_token_service_template. See "oracle/wss_http_token_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_http_token_service_policy".

oracle/wss_username_token_client_policy

This policy includes credentials in the WS-Security UsernameToken SOAP header for all outbound SOAP request messages. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.

Note:

Digest passwords are not supported in this release.

This policy contains the following policy assertion: oracle/wss_username_token_client_template. See "oracle/wss_username_token_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_username_token_client_policy".

oracle/wss_username_token_service_policy

This policy uses the credentials in the WS-Security UsernameToken SOAP header to authenticate users. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.

Note:

Digest passwords are not supported in this release.

This policy contains the following policy assertion: oracle/wss_username_token_service_template. See "oracle/wss_username_token_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_username_token_service_policy".

oracle/wss10_saml_token_client_policy

This policy includes SAML tokens in outbound SOAP request messages. The policy can be enforced on any SOAP-based client.

This policy contains the following policy assertion: oracle/wss10_saml_token_client_template. See "oracle/wss10_saml_token_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml_token_client_policy".

oracle/wss10_saml_token_service_policy

This policy authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. This policy can be enforced on any SOAP-based endpoint.

This policy contains the following policy assertion: oracle/wss10_saml_token_service_template. See "oracle/wss10_saml_token_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml_token_service_policy".

oracle/wss10_saml20_token_client_policy

This policy includes SAML tokens in outbound SOAP request messages. The policy can be enforced on any SOAP-based client.

This policy contains the following policy assertion: oracle/wss10_saml20_token_client_template. See "oracle/wss10_saml20_token_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml20_token_client_policy".

oracle/wss10_saml20_token_service_policy

This policy authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. This policy can be enforced on any SOAP-based endpoint.

This policy contains the following policy assertion: oracle/wss10_saml20_token_service_template. See "oracle/wss10_saml20_token_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml20_token_service_policy".

oracle/wss11_kerberos_token_client_policy

This policy includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with MIT and Active Directory KDCs. This policy can be enforced on any SOAP-based client.

This policy contains the following policy assertion: oracle/wss11_kerberos_token_client_template. See "oracle/wss11_kerberos_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_kerberos_token_client_policy".

oracle/wss11_kerberos_token_service_policy

This policy is enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services. This policy is compatible with MIT and Active Directory KDCs. This policy can be attached to any SOAP-based endpoint.

This policy contains the following policy assertion: oracle/wss11_kerberos_token_service_template. See "oracle/wss11_kerberos_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml_token_service_policy".

Message Protection Only Policies

Table B-2 summarizes the policies that enforce message protection only, and indicates whether the policy is enforced at the transport layer or SOAP header.

Table B-2 Message-Protection Only Policies

Client Policy Service Policy Authentication Transport Authentication SOAP Message Protection Transport Message Protection SOAP

oracle/wss10_message_protection_client_policy

oracle/wss10_message_protection_service_policy

No

No

No

Yes

oracle/wss11_message_protection_client_policy

oracle/wss11_message_protection_service_policy

No

No

No

Yes


oracle/wss10_message_protection_client_policy

This policy provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

This policy uses the WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_message_protection_client_template. See "oracle/wss10_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_message_protection_client_policy".

oracle/wss10_message_protection_service_policy

This policy enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

The messages are protected using WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_message_protection_service_template. See "oracle/wss10_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_message_protection_service_policy".

oracle/wss11_message_protection_client_policy

This policy provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss11_message_protection_client_template. See "oracle/wss11_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_message_protection_client_policy".

oracle/wss11_message_protection_service_policy

This policy enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss11_message_protection_service_template. See "oracle/wss11_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_message_protection_service_policy".

Message Protection and Authentication Policies

Table B-3 summarizes the policies that enforce both message protection and authentication but do not conform to the WS-Security 1.0 or 1.1 standard. The table indicates whether the policy is enforced at the transport layer or SOAP header.

Table B-3 Message Protection and Authentication Policies

Client Policy Service Policy Authentication Transport Authentication SOAP Message Protection Transport Message Protection SOAP

oracle/wss_http_token_over_ssl_client_policy

oracle/wss_http_token_over_ssl_service_policy

Yes

No

Yes

No

Attach one of the following:

oracle/wss_saml_or_username_token_over_ssl_service_policy

No

Yes

Yes

No

oracle/wss_saml_token_bearer_over_ssl_client_policy

oracle/wss_saml_token_bearer_over_ssl_service_policy

No

Yes

Yes

No

oracle/wss_saml_token_over_ssl_client_policy

oracle/wss_saml_token_over_ssl_service_policy

No

Yes

Yes

No

oracle/wss_saml20_token_over_ssl_client_policy

oracle/wss_saml20_token_over_ssl_service_policy

No

Yes

Yes

No

oracle/wss_username_token_over_ssl_client_policy

oracle/wss_username_token_over_ssl_service_policy

No

Yes

Yes

No

oracle/wss10_saml_hok_with_message_protection_client_policy

oracle/wss10_saml_hok_token_with_message_protection_service_policy

No

Yes

No

Yes

oracle/wss10_saml_token_with_message_integrity_client_policy

oracle/wss10_saml_token_with_message_integrity_service_policy

No

Yes

No

Yes

oracle/wss10_saml_token_with_message_protection_client_policy

oracle/wss10_saml_token_with_message_protection_service_policy

No

Yes

No

Yes

oracle/wss10_saml20_token_with_message_protection_client_policy

oracle/wss10_saml20_token_with_message_protection_service_policy

No

Yes

No

Yes

oracle/wss10_saml_token_with_message_protection_ski_basic256_client_policy

oracle/wss10_saml_token_with_message_protection_ski_basic256_service_policy

No

Yes

No

Yes

oracle/wss10_username_id_propagation_with_msg_protection_client_policy

oracle/wss10_username_id_propagation_with_msg_protection_service_policy

No

Yes

No

Yes

oracle/wss10_username_token_with_message_protection_client_policy

oracle/wss10_username_token_with_message_protection_service_policy

No

Yes

No

Yes

oracle/wss10_username_token_with_message_protection_ski_basic256_client_policy

oracle/wss10_username_token_with_message_protection_ski_basic256_service_policy

No

Yes

No

Yes

oracle/wss10_x509_token_with_message_protection_client_policy

oracle/wss10_x509_token_with_message_protection_service_policy

No

Yes

No

Yes

oracle/wss11_kerberos_token_with_message_protection_client_policy

oracle/wss11_kerberos_token_with_message_protection_service_policy

No

Yes

No

Yes

oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy

oracle/wss11_kerberos_token_with_message_protection_basic128__service_policy

No

Yes

No

Yes

Attach one of the following:

oracle/wss11_saml_or_username_token_with_message_protection_service_policy

No

Yes

No

Yes

oracle/wss11_saml_token_with_message_protection_client_policy

oracle/wss11_saml_token_with_message_protection_service_policy

No

Yes

No

Yes

oracle/wss11_saml20_token_with_message_protection_client_policy

oracle/wss11_saml20_token_with_message_protection_service_policy

No

Yes

No

Yes

oracle/wss11_saml_token_with_identity_switch_message_protection_client_policy

oracle/wss11_saml_token_with_message_protection_service_policy

No

Yes

No

Yes

oracle/wss11_username_token_with_message_protection_client_policy

oracle/wss11_username_token_with_message_protection_service_policy

No

Yes

No

Yes

oracle/wss11_x509_token_with_message_protection_client_policy

oracle/wss11_x509_token_with_message_protection_service_policy

No

Yes

No

Yes


oracle/wss_http_token_over_ssl_client_policy

This policy includes credentials in the HTTP header for outbound client requests and authenticates users against the Oracle Platform Security Services identity store. This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based client.

Note:

Currently only HTTP basic authentication is supported.

This policy contains the following policy assertion: oracle/wss_http_token_over_ssl_client_template. See "oracle/wss_http_token_over_ssl_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_http_token_over_ssl_client_policy".

oracle/wss_http_token_over_ssl_service_policy

This policy extracts the credentials in the HTTP header and authenticates users against the Oracle Platform Security Services identity store. This policy verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based endpoint.

Note:

Currently only HTTP basic authentication is supported.

This policy contains the following policy assertion: oracle/wss_http_token_over_ssl_service_template. See "oracle/wss_http_token_over_ssl_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_http_token_over_ssl_service_policy".

oracle/wss_saml_or_username_token_over_ssl_service_policy

This policy enforces message protection (integrity and confidentiality) and one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:

  • SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

  • WS-Security UsernameToken SOAP header to authenticate users against the Oracle Platform Security Services configured identity store.

This policy contains the following assertions, as an OR group—meaning either type of policy can be enforced by a client:

For information about configuring the policy, see "oracle/wss_saml_token_over_ssl_service_policy" and "oracle/wss_username_token_over_ssl_service_policy".

oracle/wss_saml_token_bearer_over_ssl_client_policy

This policy includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is created automatically. The policy also verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based client.

This policy contains the following policy assertion: oracle/wss_saml_token_bearer_over_ssl_client_template. See "oracle/wss_saml_token_bearer_over_ssl_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_saml_token_bearer_over_ssl_client_policy".

oracle/wss_saml_token_bearer_over_ssl_service_policy

This policy authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.

This policy contains the following policy assertion: oracle/wss_saml_token_bearer_over_ssl_service_template. See "oracle/wss_saml_token_bearer_over_ssl_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_saml_token_bearer_over_ssl_service_policy".

oracle/wss_saml20_token_bearer_over_ssl_client_policy

This policy includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is created automatically. The policy also verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based client.

This policy contains the following policy assertion: oracle/wss_saml20_token_bearer_over_ssl_client_template. See "oracle/wss_saml20_token_bearer_over_ssl_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_saml20_token_bearer_over_ssl_client_policy".

oracle/wss_saml20_token_bearer_over_ssl_service_policy

This policy authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.

This policy contains the following policy assertion: oracle/wss_saml20_token_bearer_over_ssl_service_template. See "oracle/wss_saml20_token_bearer_over_ssl_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_saml20_token_bearer_over_ssl_service_policy".

oracle/wss_saml_token_over_ssl_client_policy

This policy includes SAML tokens in outbound WS-Security SOAP headers using the sender-vouches confirmation type. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based client.

This policy contains the following policy assertion: oracle/wss_saml_token_over_ssl_client_template. See "oracle/wss_saml_token_over_ssl_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_saml_token_over_ssl_client_policy".

oracle/wss_saml_token_over_ssl_service_policy

This policy enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type. The SAML token is mapped to a user in the configured identity store. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.

This policy contains the following policy assertion: oracle/wss_saml_token_over_ssl_service_template. See "oracle/wss_saml_token_over_ssl_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_saml_token_over_ssl_service_policy".

oracle/wss_saml20_token_over_ssl_client_policy

This policy includes SAML tokens in outbound WS-Security SOAP headers using the sender-vouches confirmation type. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based client.

This policy contains the following policy assertion: oracle/wss_saml20_token_over_ssl_client_template. See "oracle/wss_saml20_token_over_ssl_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_saml20_token_over_ssl_client_policy".

oracle/wss_saml20_token_over_ssl_service_policy

This policy enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type. The SAML token is mapped to a user in the configured identity store. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.

This policy contains the following policy assertion: oracle/wss_saml20_token_over_ssl_service_template. See "oracle/wss_saml20_token_over_ssl_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_saml20_token_over_ssl_service_policy".

oracle/wss_username_token_over_ssl_client_policy

This policy includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages. The policy verifies that the transport protocol provides SSL message protection. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.

Note:

Digest passwords are not supported in this release.

This policy contains the following policy assertion: oracle/wss_username_token_over_ssl_client_template. See "oracle/wss_username_token_over_ssl_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_username_token_over_ssl_client_policy".

oracle/wss_username_token_over_ssl_service_policy

This policy uses the credentials in the WS-Security UsernameToken SOAP header to authenticate users against the Oracle Platform Security Services configured identity store. The policy verifies that the transport protocol provides SSL message protection. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.

Note:

Digest passwords are not supported in this release.

This policy contains the following policy assertion: oracle/wss_username_token_over_ssl_service_template. See "oracle/wss_username_token_over_ssl_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_username_token_over_ssl_service_policy".

oracle/wss10_saml_hok_with_message_protection_client_policy

This policy provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. A SAML token, included in the SOAP message, is used in SAML-based authentication with holder of key confirmation.

The policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_saml_hok_with_message_protection_client_template. See "oracle/wss10_saml_hok_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml_hok_token_with_message_protection_client_policy".

oracle/wss10_saml_hok_token_with_message_protection_service_policy

This policy enforces message protection (integrity and confidentiality) and SAML holder of key based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_saml_hok_with_message_protection_service_template. See "oracle/wss10_saml_hok_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml_hok_token_with_message_protection_service_policy".

oracle/wss10_saml_token_with_message_integrity_client_policy

This policy provides message-level integrity and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. A SAML token, included in the SOAP message, is used in SAML-based authentication with sender vouches confirmation.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies and SHA-1 hashing algorithm for message integrity. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_client_template. See "oracle/wss10_saml_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml_token_with_message_integrity_client_policy".

oracle/wss10_saml_token_with_message_integrity_service_policy

This policy enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. It extracts the SAML token from the WS-Security binary security token or the current Java Authentication and Authorization Service (JAAS) subject, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies and SHA-1 hashing algorithm for message integrity. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_service_template. See "oracle/wss10_saml_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml_token_with_message_integrity_service_policy".

oracle/wss10_saml_token_with_message_protection_client_policy

This policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_client_template. See "oracle/wss10_saml_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml_token_with_message_protection_client_policy".

oracle/wss10_saml_token_with_message_protection_service_policy

This policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_service_template. See "oracle/wss10_saml_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml_token_with_message_protection_service_policy".

oracle/wss10_saml20_token_with_message_protection_client_policy

This policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_saml20_token_with_message_protection_client_template. See "oracle/wss10_saml20_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml20_token_with_message_protection_client_policy".

oracle/wss10_saml20_token_with_message_protection_service_policy

This policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_saml20_token_with_message_protection_service_template. See "oracle/wss10_saml20_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml20_token_with_message_protection_service_policy".

oracle/wss10_saml_token_with_message_protection_ski_basic256_client_policy

This policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

The policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites"

This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_client_template. See "oracle/wss10_saml_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml_token_with_message_protection_client_policy".

oracle/wss10_saml_token_with_message_protection_ski_basic256_service_policy

This policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

The policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites"

This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_service_template. See "oracle/wss10_saml_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_saml_token_with_message_protection_service_policy".

oracle/wss10_username_id_propagation_with_msg_protection_client_policy

This policy provides message protection (integrity and confidentiality) and identity propagation for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Credentials (only username) are included in outbound SOAP request messages via a WS-Security UsernameToken header. No password is included.This policy can be enforced on any SOAP-based client.

Message protection is provided using WS-Security's Basic128 suite of asymmetric key technologies. Specifically RSA key mechanisms for confidentiality, SHA-1 hashing algorithm for integrity and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_username_token_with_message_protection_client_template. See "oracle/wss10_username_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_username_id_propagation_with_msg_protection_client_policy".

oracle/wss10_username_id_propagation_with_msg_protection_service_policy

This policy enforces message level protection (i.e., integrity and confidentiality) and identity propagation for inbound SOAP requests using mechanisms described in WS-Security 1.0. This policy can be enforced on any SOAP-based endpoint.

Message protection is provided using WS-Security 1.0's Basic128 suite of asymmetric key technologies. Specifically RSA key mechanisms for confidentiality, SHA-1 hashing algorithm for integrity and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_username_id_propagation_with_msg_protection_service_template. See "oracle/wss10_username_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_username_id_propagation_with_msg_protection_service_policy".

oracle/wss10_username_token_with_message_protection_client_policy

This policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_username_token_with_message_protection_client_template. See "oracle/wss10_username_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_username_token_with_message_protection_client_policy".

oracle/wss10_username_token_with_message_protection_service_policy

This policy enforces message protection (message integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_username_token_with_message_protection_service_template. See "oracle/wss10_username_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_username_token_with_message_protection_service_policy".

oracle/wss10_username_token_with_message_protection_ski_basic256_client_policy

This policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

This policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_username_token_with_message_protection_client_template. See "oracle/wss10_username_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_username_token_with_message_protection_client_policy".

oracle/wss10_username_token_with_message_protection_ski_basic256_service_policy

This policy enforces message protection (message integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

This policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_username_token_with_message_protection_service_template. See "oracle/wss10_username_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_username_token_with_message_protection_service_policy".

oracle/wss10_x509_token_with_message_protection_client_policy

This policy provides message protection (integrity and confidentiality) and certificate credential population for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_x509_token_with_message_protection_client_template. See "oracle/wss10_x509_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_x509_token_with_message_protection_client_policy".

oracle/wss10_x509_token_with_message_protection_service_policy

This policy enforces message protection (integrity and confidentiality) and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss10_x509_token_with_message_protection_service_template. See "oracle/wss10_x509_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss10_x509_token_with_message_protection_service_policy".

oracle/wss11_kerberos_token_with_message_protection_client_policy

This policy includes a Kerberos token in the WS-Security header, and uses Kerberos keys to guarantee message integrity and confidentiality, in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with MIT and Active Directory KDCs. This policy can be enforced on any SOAP-based client.

This policy contains the following policy assertion: oracle/wss11_kerberos_token_with_message_protection_client_template. See "oracle/wss11_kerberos_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_kerberos_token_with_message_protection_client_policy".

oracle/wss11_kerberos_token_with_message_protection_service_policy

This policy is enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with MIT and Active Directory KDCs. This policy can be attached to any SOAP-based endpoint.

This policy extracts the Kerberos token from the SOAP header and authenticates the user, and it enforces message integrity and confidentiality using Kerberos keys. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.

This policy contains the following policy assertion: oracle/wss11_kerberos_token_with_message_protection_service_template. See "oracle/wss11_kerberos_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_kerberos_token_with_message_protection_service_policy".

oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy

This policy includes a Kerberos token in the WS-Security header, and uses Kerberos keys to guarantee message integrity and confidentiality, in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with Active Directory KDCs. This policy can be enforced on any SOAP-based client.

This policy uses the WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss11_kerberos_token_with_message_protection_client_template. See "oracle/wss11_kerberos_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy".

oracle/wss11_kerberos_token_with_message_protection_basic128__service_policy

This policy is enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with Active Directory KDCs. This policy can be attached to any SOAP-based endpoint.

This policy uses the WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".

This policy extracts the Kerberos token from the SOAP header and authenticates the user, and it enforces message integrity and confidentiality using Kerberos keys. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.

This policy contains the following policy assertion: oracle/wss11_kerberos_token_with_message_protection_service_template. See "oracle/wss11_kerberos_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_kerberos_token_with_message_protection_basic128_service_policy".

oracle/wss11_saml_token_with_message_protection_client_policy

This policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss11_saml_token_with_message_protection_client_template. See "oracle/wss11_saml_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_saml_token_with_message_protection_client_policy".

oracle/wss11_saml20_token_with_message_protection_client_policy

This policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss11_saml20_token_with_message_protection_client_template. See "oracle/wss11_saml20_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_saml20_token_with_message_protection_client_policy".

oracle/wss11_saml_token_with_identity_switch_message_protection_client_policy

This policy performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject. This policy can be attached to any SOAP-based client.

This policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss11_saml_token_with_message_protection_client_template. See "oracle/wss11_saml_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy".

oracle/wss11_saml_token_with_message_protection_service_policy

This policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss11_saml_token_with_message_protection_service_template. See "oracle/wss11_saml_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_saml_token_with_message_protection_service_policy".

oracle/wss11_saml20_token_with_message_protection_service_policy

This policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss11_saml20_token_with_message_protection_service_template. See "oracle/wss11_saml20_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_saml20_token_with_message_protection_service_policy".

oracle/wss11_saml_or_username_token_with_message_protection_service_policy

This policy enforces message protection (integrity and confidentiality) and one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:

  • SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

  • Username token authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following assertions, as an OR group—meaning either type of policy can be enforced by a client:

For information about configuring the policy, see "oracle/wss11_saml_token_with_message_protection_service_policy" and "oracle/wss11_username_token_with_message_protection_service_policy".

oracle/wss11_username_token_with_message_protection_client_policy

This policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.

Note:

Digest passwords are not supported in this release.

The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature.

To prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss11_username_token_with_message_protection_client_template. See "oracle/wss11_username_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_username_token_with_message_protection_client_policy".

oracle/wss11_username_token_with_message_protection_service_policy

This policy enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. Both plain text and digest mechanisms are supported.

Note:

Digest passwords are not supported in this release.

The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature. This policy can be attached to any SOAP-based endpoint.

To prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.

Note:

Digest passwords are not supported in this release.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss11_username_token_with_message_protection_service_template. See "oracle/wss11_username_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_username_token_with_message_protection_service_policy".

oracle/wss11_x509_token_with_message_protection_client_policy

This policy provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss11_x509_token_with_message_protection_client_template. See "oracle/wss11_x509_token_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_x509_token_with_message_protection_client_policy".

oracle/wss11_x509_token_with_message_protection_service_policy

This policy enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".

This policy contains the following policy assertion: oracle/wss11_x509_token_with_message_protection_service_template. See "oracle/wss11_x509_token_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_x509_token_with_message_protection_service_policy".

WS-Trust Policies

Table B-4 summarizes the WS-Trust policies.

oracle/sts_trust_config_service_policy

This policy provides STS configuration information that is used to invoke an STS for token exchange.

This policy contains the following policy assertion: oracle/sts_trust_config_template. See "oracle/sts_trust_config_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/sts_trust_config_service_policy".

oracle/sts_trust_config_client_policy

This policy provides STS configuration information that is used to invoke an STS for token exchange.

This policy contains the following policy assertion: oracle/sts_trust_config_template. See "oracle/sts_trust_config_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/sts_trust_config_client_policy".

oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy

This policy inserts the SAML Bearer assertion issued by a trusted STS (Security Token Service). Messages are protected using SSL.

This policy contains the following policy assertion: oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template. See "oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy".

oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy

This policy authenticates a SAML Bearer assertion issued by a trusted STS (Security Token Service). Messages are protected using SSL.

This policy contains the following policy assertion: oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template. See "oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy".

oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy

This policy inserts a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using proof key material provided by STS.

This policy contains the following policy assertion: oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template. See "oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy".

oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy

This policy inserts a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using proof key material provided by STS.

This policy contains the following policy assertion: oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template. See "oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy".

oracle/wss11_sts_issued_saml_with_message_protection_client_policy

This policy inserts a SAML sender vouches assertion issued by a trusted STS (Security Token Service). Messages are protected using the client's private key.

This policy contains the following policy assertion: oracle/wss11_sts_issued_saml_with_message_protection_client_template. See "oracle/wss11_sts_issued_saml_with_message_protection_client_template" for more information about the assertion.

For information about configuring the policy, see "oracle/wss11_sts_issued_saml_with_message_protection_client_policy".

Authorization Only Policies

Table B-5 summarizes the security policies that enforce authorization, and indicates whether the policy is enforced at the transport layer or SOAP header.

Note:

The authorization polices can follow any authentication policy where the Subject is established.

You cannot attach both a permitall and denyall policy to the same Web service.

Table B-5 Authorization Only Policies

Client Policy Authentication Transport Authentication SOAP Message Protection Transport Message Protection SOAP

oracle/binding_authorization_denyall_policy

No

Yes

No

No

oracle/binding_authorization_permitall_policy

No

Yes

No

No

oracle/binding_permission_authorization_policy

No

Yes

No

No

oracle/component_authorization_denyall_policy

No

Yes

No

No

oracle/component_authorization_permitall_policy

No

Yes

No

No

oracle/component_permission_authorization_policy

No

Yes

No

No

oracle/whitelist_authorization_policy

No

Yes

No

No


oracle/binding_authorization_denyall_policy

This policy provides simple role-based authorization for the request based on the authenticated Subject at the SOAP binding level. This policy denies all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SOAP-based endpoint.

This policy contains the following policy assertion: oracle/binding_authorization_template. See "oracle/binding_authorization_template" for more information about the assertion.

For information about configuring the policy, see "oracle/binding_authorization_denyall_policy".

oracle/binding_authorization_permitall_policy

This policy provides a simple role-based authorization for the request based on the authenticated Subject at the SOAP binding level. This policy permits all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SOAP-based endpoint.

This policy contains the following policy assertion: oracle/binding_authorization_template. See "oracle/binding_authorization_template" for more information about the assertion.

For information about configuring the policy, see "oracle/binding_authorization_permitall_policy".

oracle/binding_permission_authorization_policy

This policy provides simple permission-based authorization for the request based on the authenticated Subject at the SOAP binding level. This policy ensures that the Subject has permission to perform the operation. This policy should follow an authentication policy where the Subject is established and can be attached to any SOAP-based endpoint.

This policy contains the following policy assertion: oracle/binding_permission_authorization_template. See "oracle/component_permission_authorization_template" for more information about the assertion.

For information about configuring the policy, see "oracle/binding_permission_authorization_policy".

oracle/component_authorization_denyall_policy

This policy provides simple role-based authorization for the request based on the authenticated Subject at the SOAP binding level. This policy denies all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SCA-based endpoint.

This policy contains the following policy assertion: oracle/component_authorization_template. See "oracle/component_authorization_template" for more information about the assertion.

For information about configuring the policy, see "oracle/component_authorization_denyall_policy".

oracle/component_authorization_permitall_policy

This policy provides a simple role-based authorization policy based on the authenticated Subject. This policy permits all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SCA-based endpoint.

This policy contains the following policy assertion: oracle/component_authorization_template. See "oracle/component_authorization_template" for more information about the assertion.

For information about configuring the policy, see "oracle/binding_authorization_permitall_policy".

oracle/component_permission_authorization_policy

This policy provides a permission-based authorization policy based on the authenticated Subject. This policy ensures that the Subject has permission to perform the operation. This policy should follow an authentication policy where the Subject is established and can be attached to any SCA-based endpoint.

This policy contains the following policy assertion: oracle/component_permission_authorization_template. See "oracle/component_permission_authorization_template" for more information about the assertion.

For information about configuring the policy, see "oracle/component_permission_authorization_policy".

oracle/whitelist_authorization_policy

This policy is a special case of role based authorization policy. This policy will let requests in only if authenticated token is SAML Sender-Vouches or if the user is in a particular role 'trustedEnterpriseRole' that established the user as a trusted entity or if the request is coming from within the private network. This policy can be attached to any SOAP-based endpoint.

This policy contains the following policy assertion: oracle/binding_authorization_template. See "oracle/binding_authorization_template" for more information about the assertion.

For information about configuring this policy, see "oracle/whitelist_authorization_policy".

WS-Addressing Policies

This section describes the predefined WS-Addressing policies.

Note:

WS-Addressing policies are not supported for WebLogic Web services.

oracle/wsaddr_policy

This policy causes the platform to check inbound messages for the presence of WS-Addressing headers conforming to the W3C 2005 Final WS-Addressing Policy standard. In addition, it causes the platform to include a WS-Addressing header in outbound SOAP messages. For information about configuring the policy, see "oracle/wsaddr_policy".

MTOM Attachment Policies

This section describes the predefined MTOM policies.

Note:

MTOM policies are not supported for WebLogic Web services.

oracle/wsmtom_policy

This Message Transmission Optimization Mechanism (MTOM) policy rejects inbound messages that are not in MTOM format and verifies that outbound messages are in MTOM format. MTOM refers to specifications http://www.w3.org/TR/2005/REC-soap12-mtom-20050125 and http://www.w3.org/Submission/2006/SUBM-soap11mtom10-20060405 for SOAP 1.2 and SOAP 1.1 bindings, respectively. For information about configuring the policy, see "oracle/wsmtom_policy".

Reliable Messaging Policies

This section describes the predefined Reliable Messaging policies.

Note:

Reliable messaging policies are not supported for WebLogic Web services.

oracle/wsrm10_policy

This policy provides support for version 1.0 of the Web Services Reliable Messaging protocol. This policy can be attached to any SOAP-based client or endpoint. Full support for this feature may require additional programming. For information about configuring the policy, see "oracle/wsrm10_policy".

oracle/wsrm11_policy

This policy provides support for version 1.1 of the Web Services Reliable Messaging protocol. This policy can be attached to any SOAP-based client or endpoint. Full support for this feature may require additional programming. For information about configuring the policy, see "oracle/wsrm11_policy".

Management Policies

This section describes the predefined Management policies.

Note:

Management policies are not supported for WebLogic Web services.

oracle/log_policy

This policy causes the request, response, and fault messages to be sent to a message log. For information about configuring the policy, see "oracle/log_policy".

This policy contains the following policy assertion: oracle/security_log_template. See "oracle/security_log_template" for more information about the assertion.

No Behavior Policies

This section describes the predefined no behavior policies. These policies provide the ability to effectively disable a policy attached globally in a policy set. Details for using these policies are provided in "Disabling a Globally Attached Policy". There are no configuration properties available for these policies.

All of these policies use the same no behavior assertion.

Note:

The no behavior policies are not supported for WebLogic Web services.

oracle/no_authentication_service_policy

This policy, when directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached authentication policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the authentication assertion, those assertions are disabled also.

oracle/no_authentication_client_policy

This policy, when directly attached to a client endpoint or globally attached at a lower scope, effectively disables a globally attached authentication policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the authentication assertion, those assertions are disabled also.

oracle/no_messageprotection_service_policy

This policy, when directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached message protection policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the message protection assertion, those assertions are disabled also.

oracle/no_messageprotection_client_policy

This policy, when directly attached to a client endpoint or globally attached at a lower scope, effectively disables a globally attached message protection policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the message protection assertion, those assertions are disabled also.

oracle/no_authorization_service_policy

This policy, when directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached authorization policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the authorization assertion, those assertions are disabled also.

oracle/no_authorization_component_policy

This policy, when directly attached to a SOA component or globally attached at a lower scope, effectively disables a globally attached authorization policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the authorization assertion, those assertions are disabled also.

oracle/no_addressing_policy

This policy, when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached WS Addressing policy at a higher scope.

oracle/no_mtom_policy

This policy, when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached WS MTOM policy at a higher scope.

oracle/no_wsrm_policy

This policy, when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached Web Services Reliable Messaging policy at a higher scope.