D Schema Reference for Predefined Assertions

This appendix provides the XML schema for reference when creating a WS-Policy file that contains Web service assertions. Sections include:

• Graphical Representation

• Element Descriptions

Graphical Representation

The following graphic describes the element hierarchy of the assertions in the WS-Policy file.

Figure D-1 Element Hierarchy of an Assertion

Description of "Figure D-1 Element Hierarchy of an Assertion"

The following sections describe each element and their subelements in detail:

• wsp:Policy

• wsp:ExactlyOne

• orasp:Assertion

• orawsp:bindings

• orawsp:Config

• orawsp:PropertySet

• orawsp:Property

• orawsp:Description

• orawsp:Value

• orawsp:guard

• orawsp:resource-match

• orawsp:action-match

• orawsp:constraint-match

Element Descriptions

The following sections describe the elements in the assertion in more detail. The main elements are described up front. The subelements are described following the main elements and are organized in alphabetical order.

wsp:Policy

Groups nested policy assertions.

Attributes

The following table summarizes the WS-Policy attributes, including the Oracle extensions.

Table D-1 Oracle Extensions to WS-Policy Attributes

Attribute	Description
Name	Name of the policy.
attachTo	Policy subjects to which the policy can be attached. Valid values include:binding.client, binding.server, binding.any.
category	Category of the policy. Valid values include: security, mtom, wsrm, addressing, and management.
description	Description of the policy.
displayName	Name displayed in the user interface.
localOptimization	Flag that specifies whether local optimization is enabled. Oracle WSM supports a SOA local optimization feature for composite-to-composite invocations in which the reference of one composite specifies a Web service binding to a second composite. Valid values include: On—Local optimization is enabled Off—Local optimization is turned off. The request goes through the usual WS/SOAP/HTTP process Check Identity—Optimize only if a JAAS subject already exists in the current thread, indicating that authentication has already succeeded. Otherwise, go through the usual WS/SOAP/HTTP process.
status	Status of the policy reference. Valid values include: enabled and disabled.
smartDigest	Smart Digest.
oraSmartDigest	Smart Digest.
subjectCount	Number of subjects to which the policy is attached currently.
versionCreator	Author of the current version.
versionNumber	Number of the current version.
versionTime	Time the current version was creatd.
id	Policy ID.

Example

<wsp:Policy 
 xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
 xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" 
 xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy" 
 xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" 
 xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
 Name="oracle/wss11_x509_token_with_message_protection_client_policy" 
 orawsp:attachTo="binding.client" 
 orawsp:category="security" 
orawsp:description="i18n:oracle.wsm.resources.policydescription.PolicyDescription
Bundle_oracle/wss11_x509_token_with_message_protection_client_policy_PolyDescKey" 
orawsp:displayName="i18n:oracle.wsm.resources.policydescription.PolicyDescription
Bundle_oracle/wss11_x509_token_with_message_protection_client_policy_PolyDispNameKey"
 orawsp:local-optimization="check-identity" 
 orawsp:oraSmartDigest="935231872" 
 orawsp:smartDigest="201244603" 
 orawsp:status="enabled" 
 orawsp:versionCreator="mdsInternal" 
 orawsp:versionNumber="1" 
 orawsp:versionTime="1238006529607" 
 wsu:Id="wss11_x509_token_with_message_protection_client_policy">
...
</wsp:Policy>

wsp:ExactlyOne

Optional element that defines an OR group. For more information about OR groups, see "Defining Multiple Policy Alternatives (OR Groups)".

Attributes

The following table summarizes the attribute of the <wsp:ExactlyOne> element.

Table D-2 Attribute of <wsp:ExactlyOne> Element

Attribute	Description
Name	Set to OR to indicate that this is an OR group.

Example

<wsp:ExactlyOne orawsp:name="Or">
<orasp:wss11-saml-with-certificates orawsp:Enforced="true" orawsp:Silent="false"
   orawsp:category="security/msg-protection, security/authentication"
   orawsp:name="WS-Security 1.1 Saml  with certificates">
<orasp:saml-token orasp:confirmation-type="sender-vouches"
   orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/>
<orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false"
   orasp:is-signed="true" orasp:sign-key-ref-mech="direct"/>
<orasp:msg-security orasp:algorithm-suite="Basic128"
   orasp:confirm-signature="true" orasp:encrypt-signature="false"
   orasp:include-timestamp="true" orasp:sign-then-encrypt="true"
   orasp:use-derived-keys="false">
...
<orasp:wss11-username-with-certificates orawsp:Enforced="true"
   orawsp:Silent="false" orawsp:category="security/authentication, 
   security/msg-protection" 
   orawsp:name="WS-Security 1.1 username with certificates">
<orasp:username-token orasp:add-created="false" orasp:add-nonce="false" 
   orasp:is-encrypted="true" orasp:is-signed="true" 
   orasp:password-type="plaintext"/>
<orasp:x509-token orasp:enc-key-ref-mech="thumbprint" 
   orasp:is-encrypted="false" orasp:is-signed="true" 
   orasp:sign-key-ref-mech="thumbprint"/>
<orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:confirm-signature="true" orasp:encrypt-signature="false" 
   orasp:include-timestamp="true" orasp:sign-then-encrypt="true" 
   orasp:use-derived-keys="false">
...
</wsp:ExactlyOne>

orasp:Assertion

Main element of the assertion. Valid assertion elements include:

• oralgp:Logging

• orasp:binding-authorization

• orasp:binding-permission-authorization

• orasp:coreid-security

• orasp:http-security

• orasp:kerberos-security

• orasp:sca-component-authorization

• orasp:sca-component-permission-authorization

• orasp:sts-trust-config

• orasp:wss10-anonymous-with-certificates

• orasp:wss10-mutual-auth-with-certificates

• orasp:wss10-saml-hok-with-certificates

• orasp:wss10-saml-token

• orasp:wss10-saml-with-certificates

• orasp:wss10-username-with-certificates

• orasp:wss11-anonymous-with-certificates

• orasp:wss11-mutual-auth-with-certificates

• orasp:wss11-saml-with-certificates

• orasp:wss11-sts-issued-token-with-certificates

• orasp:wss11-username-with-certificates

• orasp:wss-saml-token-bearer-over-ssl

• orasp:wss-saml-token-over-ssl

• orasp:wss-sts-issued-token-over-ssl

• orasp:wss-username-token

• orasp:wss-username-token-over-ssl

• rm:RMAssertion

• wsaw:UsingAddressing

• wsoma:OptimizedMimeSerialization

Attributes

The following table summarizes the attributes of the <orasp:Assertion> element.

Table D-3 Attributes of <orasp:Assertion> Element

Attribute	Description
Optional	Flag that specifies whether the assertion is optional or required.
Silent	Flag that specifies whether the assertion is advertised. If set to true, the assertion is not advertised.
Enforced	Flag that specifies whether the assertion is currently enabled. Valid values are true or false.
name	Name of the assertion.
description	Description of the assertion.
category	Category to which the assertion applies. Valid values include: security/authentication, security/msg-protection, security/authorization, security/logging, mtom, wsrm, addressing, and management.

Example

<orasp:wss11-mutual-auth-with-certificates orawsp:Enforced="true"
  orawsp:Silent="false" orawsp:category="security/authentication,
  security/msg-protection" 
  orawsp:name="WS-Security 1.1 Mutual Auth with certificates">
...
</orasp:wss11-mutual-auth-with-certificates>

orawsp:bindings

The <oraswsp:bindings> element defines the bindings in the assertion. This element contains the following subelement:

• orawsp:Config

Example

<orawsp:bindings>
  <orawsp:Config orawsp:configType="declarative" 
   orawsp:name="Wss11SamlWithCertsConfig">
    <orawsp:PropertySet orawsp:name="standard-security-properties">
      <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
       orawsp:type="string">
        <orawsp:Value>ultimateReceiver</orawsp:Value>
      </orawsp:Property>
    </orawsp:PropertySet>
  </orawsp:Config>
 </orawsp:bindings>

orawsp:Config

The <oraswsp:Config> element defines the configuration for the assertion. This element can contain the following subelement:

• orawsp:PropertySet

Attributes

The following table summarizes the attributes of the <orawsp:Config> element.

Table D-4 Attributes of <orawsp:Config> Element

Attribute	Description
name	Name of the configuration.
type	Category to which the configuration applies.
configType	Configuration type. Valid values include: declarative and programmatic. declarative—Use deployment descriptors and configuration files to describe authentication and authorization requirements. programmatic—Embed security enforcement within the application.

Example

<orawsp:Config orawsp:configType="declarative" 
 orawsp:name="Wss11SamlWithCertsConfig">
  <orawsp:PropertySet orawsp:name="standard-security-properties">
    <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
     orawsp:type="string">
      <orawsp:Value>ultimateReceiver</orawsp:Value>
    </orawsp:Property>
  </orawsp:PropertySet>
</orawsp:Config>

orawsp:PropertySet

The <oraswsp:PropertySet> element groups nested properties. This element contains the following subelement:

• orawsp:Property

Attributes

The following table summarizes the attributes of the <orawsp:PropertySet> element.

Table D-5 Attributes of <orawsp:PropertySet> Element

Attribute	Description
name	Name of the property set.

Example

<orawsp:PropertySet orawsp:name="standard-security-properties">
    <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
     orawsp:type="string">
      <orawsp:Value>ultimateReceiver</orawsp:Value>
    </orawsp:Property>
  </orawsp:PropertySet>

orawsp:Property

The <oraswsp:Property> element defines a single property. The following summarize valid properties used by the predefined assertions.

The <orawsp:Property> element can contain the following subelements:

• orawsp:Value

Attributes

The following table summarizes the attributes of the <orawsp:Property> element.

Table D-6 Attributes of <orawsp:Property> Element

Attribute	Description
name	Name of the property. See Table D-7 for a list of property values used by the predefined assertions.
type	Type of the property. For example, string.
contentType	Specifies whether the property is required and can be overridden. Valid values include: constant—Property is a constant value and cannot be overridden. required—Property is required and can be overridden. optional—Property is optional and can be overridden. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

The following table summarizes the properties used by the predefined assertions.

Table D-7 Properties Used by the Predefined Assertions

Property	Description
action	Action or Web service operation for which authorization checks are performed. This value can be a comma-separated list of values. This field accepts wildcards. For example, validate,amountAvailable.
attesting.mapping.attribute	The mapping attribute used to represent the attesting entity. Only the DN is currently supported. This attribute is applicable only to sender vouches and then only to message protection use cases. It is not applicable to SAML over SSL policies.
BaseRetransmissionInterval	Interval, in milliseconds, that the source endpoint waits after transmitting a message and before it retransmits the message. If the source endpoint does not receive an acknowledgement for a given message within the interval specified by this element, the source endpoint retransmits the message. The source endpoint can modify this retransmission interval at any point during the lifetime of the sequence of messages. This assertion does not alter the formulation of messages as transmitted, only the timing of their transmission. This value defaults to 3000.
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. The default value is basic.credentials.
DeliveryAssurance	Delivery assurance. Valid values include: InOrder—Messages are delivered in the order they were sent. This is the default. AtLeastOnce—Every message is delivered at least once. It is possible that some messages are delivered more than once. AtLeastOnceInOrder—Every message is delivered at least once and in the order they were sent. It is possible that some messages are delivered more than once. ExactlyOnce—Every message is delivered exactly once, without duplication. ExactlyOnceInOrder—Every message is delivered exactly once, without duplication, and in the order they were sent. AtMostOnce—Messages are delivered at most once, without duplication. It is possible that some messages may not be delivered at all. AtMostOnceInOrder—Messages are delivered at most once, without duplication and in the order received. It is possible that some messages may not be delivered at all.
jdbc-connection-name	JNDI reference to a JDBC data store. Valid when the StoreType is set to JDBC. This value defaults to jdbc/MessagesStore.
InactivityTimeout	Period of inactivity (in milliseconds) for a sequence of messages. A sequence of messages is defined as a set of messages, identified by a unique sequence number, for which a particular delivery assurance applies; typically a sequence originates from a single source endpoint. If, during the duration specified by this element, a destination endpoint has received no messages from the source endpoint, the destination endpoint may consider the sequence to have been terminated due to inactivity. The same applies to the source endpoint. This value defaults to 600000.
keystore.enc.csf.key	If you set this value you then can override keystore.enc.csf.key, as described in "Attaching Web Service Policies Permitting Overrides".
keystore.recipient.alias	Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Can be superseded by "Using Service Identity Certification Extension".
on.behalf.of	Override this property to indicate whether the request is on behalf of an another entity. The default value for this flag is false.
permission-class	Class used for the permission-based checking. For example, oracle.wsm.security.WSFuncPermission.
realm	HTTP realm. This value defaults to owsm.
resource	Name of the resource for which authorization checks are performed. This field accepts wildcards. For example, if the namespace of the Web service is http://project11 and the service name is CreditValidation, the resource name is http://project11/CreditValidation.
role	SOAP role. This value defaults to ultimateReceiver.
saml.assertion.filename	File containing SAML assertions. This value defaults to temp.
saml.audience.uri	Represents the relying party, as a comma-separated URI. This field accepts wildcards.
saml.issuer.name	Name of the issuer of the SAML token. This value defaults to www.oracle.com.
saml.trusted.issuers	A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level.
service.principal.name	Kerberos principal name that identifies the service.
StoreName	Name of the message store. This value defaults to oracle.
StoreType	Type of message store. Valid values include: InMemory—Messages are stored in memory. This is the default. JDBC—Messages are stored using JDBC.
sts.auth.caller.principal.name	Client's principal name as generated using the ktpass command and mapped to the username for which the kerberos token should be generated. It is of the format <username>@<REALM NAME>.
sts.auth.keytab.location	Location of the client's keytab file.
sts.auth.on.behalf.of.csf.key	Use to configure "on behalf of" entity. If present, it will be given preference over Subject (if it exists).
sts.auth.service.principal.name	Principal name for the Web service that needs to be protected. It is of the format <host>/<machine name>@<REALM NAME>. For example, HTTP/mymachine@MYREALM.COM.
sts.auth.user.csf.key	Use to configure username/password to authenticate to the STS. If policy-reference-uri in the client "oracle/sts_trust_config_client_template" points to a username-based policy, then you configure the sts.auth.user.csf.key property to specify a username/password to authenticate to the STS.
sts.auth.x509.csf.key	Use to configure X509 certificate for authenticating to the STS. If policy-reference-uri in the client "oracle/sts_trust_config_client_template" points to an x509-based policy, then you configure the sts.auth.x509.csf.key property to specify the X509 certificate for authenticating to the STS.
sts.keystore.recipient.alias	The alias of the STS certificate you added to the keystore. The default alias name is sts-csf-key.
subject.precedence	Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject. If subject.precedence is true, the user name to create the SAML assertion is obtained only from the Subject. Similarly, if subject.precedence is false, the user name to create the SAML assertion is obtained only from the csf-key username property.
user.attributes	Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion.
user.roles.include	SOAP roles to be included. This value defaults to false.

Example

<orawsp:PropertySet orawsp:name="standard-security-properties">
  <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
   orawsp:type="string">
    <orawsp:Value>ultimateReceiver</orawsp:Value>
  </orawsp:Property>
</orawsp:PropertySet>

orawsp:Description

The <oraswsp:Description> element provides a description of the property.

Example

<orawsp:Description>My description.</orawsp:Description>

orawsp:Value

The <oraswsp:Value> element provides a list of valid values for the property.

Example

<orawsp:Value>ultimateReceiver</orawsp:Value>

orawsp:guard

The <orawsp:guard> element defines the resource, action, and constraint match values.

Examples

<orawsp:guard>
  <orawsp:resource-match>
    http://project11/CreditValidation
  </orawsp:resource-match>
  <orawsp:action-match>validate,amountAvailable</orawsp:action-match>
</orawsp:guard>

<orawsp:guard>
  <orawsp:resource-match>*</orawsp:resource-match>
  <orawsp:action-match>validate,amountAvailable</orawsp:action-match>
</orawsp:guard>

<orawsp:guard>
  <orawsp:constraint-match>${!(messageContext.authenticationMethod =='SAML_SV'
    || messageContext.requestOrigin == 'internal')}
  </orawsp:constraint-match>
</orawsp:guard>

orawsp:resource-match

The <orawsp:resource-match> element specifies the name of the resource for which authorization checks are performed. This field accepts wildcards.

For example, if the namespace of the Web service is http://project11 and the service name is CreditValidation, the resource name is http://project11/CreditValidation.

Examples

<orawsp:guard>
  <orawsp:resource-match>
    http://project11/CreditValidation
  </orawsp:resource-match>
  <orawsp:action-match>validate,amountAvailable</orawsp:action-match>
</orawsp:guard>

<orawsp:guard>
  <orawsp:resource-match>*</orawsp:resource-match>
  <orawsp:action-match>validate,amountAvailable</orawsp:action-match>
</orawsp:guard>

orawsp:action-match

The <orawsp:resource-match> element specifies the action or Web service operation for which authorization checks are performed. This value can be a comma-separated list of values. This field accepts wildcards.

Examples

<orawsp:guard>
  <orawsp:resource-match>
    http://project11/CreditValidation
  </orawsp:resource-match>
  <orawsp:action-match>validate,amountAvailable</orawsp:action-match>
</orawsp:guard>

<orawsp:guard>
  <orawsp:resource-match>*</orawsp:resource-match>
  <orawsp:action-match>validate,amountAvailable</orawsp:action-match>
</orawsp:guard>

orawsp:constraint-match

The <orawsp:constraint-match> element specifies the constraints against which authorization checks are performed. The value is an expression specified using the following two messageContext properties:

• messageContext.authenticationMethod—Determines the authentication method used to authenticate the user. Valid value is SAML_SV.

• messageContext.requestOrigin—Determines whether the request originated from an internal or external network. This property is valid only when using Oracle HTTP Server and the Oracle HTTP server administrator has added a custom VIRTUAL_HOST_TYPE header to the request.

  The properties and their values are case sensitive. The constraint expression uses the following standard supported operators: ==, !=, &&, || and !.

  Note:

  This element is supported with the binding-authorization element only. For other authorization assertion elements, this field is reserved for future use.

Example

<orawsp:guard>
<orawsp:constraint-match>${!(messageContext.authenticationMethod =='SAML_SV' ||
   messageContext.requestOrigin == 'internal')} 
         </orawsp:constraint-match>
</orawsp:guard>

oralgp:Logging

The <orasp:Logging> element defines the logging policy.

The <orasp:Logging> element contains the following subelements:

• oralgp:msg-log

• orawsp:bindings

Example

<oralgp:Logging orawsp:Enforced="false" orawsp:Silent="true"
 orawsp:category="security/logging" orawsp:name="Log Message1">
  <oralgp:msg-log>
    <oralgp:request>all</oralgp:request>
    <oralgp:response>all</oralgp:response>
    <oralgp:fault>all</oralgp:fault>
  </oralgp:msg-log>
  <orawsp:bindings>
    <orawsp:Config orawsp:name="added-from-em"/>
  </orawsp:bindings>
</oralgp:Logging>

orasp:binding-authorization

The <orasp:binding-authorization> element defines a simple role-based authorization for the request based on the authenticated subject at the SOAP binding level.

The <orasp:binding-authorization> element contains the following subelements:

• orawsp:bindings

• orawsp:guard

It also contains one of the following subelements:

• orasp:denyAll

• orasp:permitAll

• orasp:role

Example

<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true" 
 orawsp:category="security/authorization" 
 orawsp:name="J2EE services Authorization">
  <orasp:denyAll/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/>
  </orawsp:bindings>
  <orawsp:guard/>
</orasp:binding-authorization>

orasp:binding-permission-authorization

The <orasp:binding-permission-authorization> element defines simple permission-based authorization for the request based on the authenticated subject at the SOAP binding level.

The <orasp:binding-permission-authorization> element contains the following subelements:

• orasp:check-permission

• orawsp:bindings

• orawsp:guard

Example

<orasp:binding-permission-authorization orawsp:Enforced="true"
 orawsp:Silent="true" orawsp:category="security/authorization" 
 orawsp:name="J2EE Permission Based Authorization">
  <orasp:check-permission/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="BindingPermissionAuthzConfig">
      <orawsp:PropertySet orawsp:name="perms-authz-properties">
        <orawsp:Property orawsp:contentType="optional" orawsp:name="resource" 
         orawsp:type="string">
          <orawsp:DefaultValue>*</orawsp:DefaultValue>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" orawsp:name="action" 
         orawsp:type="string">
          <orawsp:DefaultValue>*</orawsp:DefaultValue>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="permission-class" orawsp:type="string">
          <orawsp:DefaultValue>oracle.wsm.security.WSFunctionPermission
          </orawsp:DefaultValue>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
  <orawsp:guard>
    <orawsp:resource-match>*</orawsp:resource-match>
    <orawsp:action-match>*</orawsp:action-match>
  </orawsp:guard>
 </orasp:binding-permission-authorization>

orasp:coreid-security

The <orasp:coreid-security> element uses the credentials in the WS-Security header's binary security token to authenticate users against the Oracle Access Manager identity store.

It contains the following subelements:

• orasp:coreid-token

• orawsp:bindings

Example

<orasp:coreid-security orawsp:Enforced="true" orawsp:Silent="true" 
 orawsp:category="security/authentication, security/authorization" 
 orawsp:name="OAM Security">
  <orasp:coreid-token orasp:is-encrypted="false" orasp:is-signed="false"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" orawsp:name="CoreIdConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
       </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:coreid-security>

orasp:http-security

The <orasp:http-security> element uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store.

It contains the following subelements:

• orasp:auth-header

• orasp:require-tls

• orawsp:bindings

Example

<orasp:http-security orawsp:Enforced="true" orawsp:Silent="true" 
 orawsp:category="security/authentication, security/msg-protection" 
 orawsp:name="Http over SSL Security">
  <orasp:auth-header orasp:mechanism="basic"/>
  <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" orawsp:name="HttpConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="realm" 
         orawsp:type="string">
          <orawsp:Value>owsm</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:http-security>

orasp:kerberos-security

The <orasp:kerberos-security> element enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

It contains the following subelements:

• orasp:kerberos-token

• orawsp:bindings

• orasp:msg-security

Example

<orasp:kerberos-security orawsp:Enforced="true" orawsp:Silent="false"
 orawsp:category="security/authentication" orawsp:name="WSS Kerberos Token">
  <orasp:kerberos-token orasp:is-encrypted="false" orasp:is-signed="false" 
   orasp:type="gss-apreq-v5"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="KerberosSecurityConfig"/>
  </orawsp:bindings>
</orasp:kerberos-security>

orasp:sca-component-authorization

The <orasp:sca-component-authorization> element defines simple role-based authorization for the request based on the authenticated subject at the SOA component level.

The <orasp:sca-component-authorization> element contains the following subelement:

• orawsp:bindings

It also contains one of the following subelements:

• orasp:denyAll

• orasp:permitAll

• orasp:role

Example

<orasp:sca-component-authorization orawsp:Enforced="true" orawsp:Silent="true"
 orawsp:category="security/authorization" orawsp:name="Fabric Component 
 Authorization">
  <orasp:denyAll/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative"  
     orawsp:name="FabricAuthzConfig"/>
  </orawsp:bindings>
 </orasp:sca-component-authorization>

orasp:sca-component-permission-authorization

The <orasp:sca-component-permission-authorization> element provides simple permission-based authorization for the request based on the authenticated subject at the SOA component level.

The <orasp:binding-permission-authorization> element contains the following subelements:

• orasp:check-permission

• orawsp:bindings

• orawsp:guard

Example

<orasp:sca-component-permission-authorization orawsp:Enforced="true"
 orawsp:Silent="true" orawsp:category="security/authorization" 
 orawsp:name="Fabric Component Authorization">
  <orasp:check-permission/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="FabricAuthzConfig">
      <orawsp:PropertySet orawsp:name="perms-authz-properties">
        <orawsp:Property orawsp:contentType="optional" orawsp:name="resource" 
         orawsp:type="string">
          <orawsp:DefaultValue>*</orawsp:DefaultValue>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" orawsp:name="action" 
         orawsp:type="string">
         <orawsp:DefaultValue>*</orawsp:DefaultValue>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="permission-class" orawsp:type="string">
          <orawsp:DefaultValue>
         oracle.wsm.security.WSFunctionPermission</orawsp:DefaultValue>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
  <orawsp:guard>
    <orawsp:resource-match>*</orawsp:resource-match>
    <orawsp:action-match>*</orawsp:action-match>
  </orawsp:guard>
</orasp:sca-component-permission-authorization>

orasp:sts-trust-config

The <orasp:sts-trust-config> element provides a mechanism to invoke the STS for token exchange.

It contains the following subelements:

• orawsp:bindings

Attributes

The following table summarizes the attributes of the <orasp:sts-trust-config> element.

Table D-8 Attributes of <orasp:sts-trust-config> Element

Attribute	Description
wsdl-uri	The actual endpoint URI of the WSDL.
port-uri	The actual endpoint URI of the STS port. For example. http://host:port/context-root/service1.
port-endpoint	The endpoint of the STS Web service. For a WSDL 2.0 STS, the format is specified as target-namespace#wsdl.endpoint(service-name/port-name). For example, http://samples.otn.com.LoanFlow#wsdl.endpoint(LoanFlowService/LoanFlowPort) For a WSDL 1.1 STS, the format is specified as targetnamespace#wsdl11.endpoint(servicename/portname). For example, http://samples.otn.com.LoanFlow#wsdl11.endpoint(LoanFlowService/LoanFlowPort).
policy-reference-uri	The client policy URI that will be used by the client to communicate with the STS. The policy you choose depends on the authentication requirements of the STS, as identified in its WSDL.
soap-version	SOAP version.
sts-keystore-recipient-alias	The alias of the STS certificate you added to the keystore. The default alias name is sts-csf-key.

Example

<orasp:sts-trust-config
 xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"
 xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"
 orasp:policy-reference-uri="oracle/wss10_username_token_with_message_protection_
client_policy"
 orasp:port-endpoint="target-namespace#wsdl.endpoint(service-name/port-name)"
 orasp:port-uri="http://host:port/sts-service" orasp:soap-version="12"
 orasp:sts-keystore-recipient-alias="sts-csf-key"
 orasp:wsdl-uri="http://host:port/sts?wsdl" orawsp:Enforced="true"
 orawsp:Silent="true" orawsp:category="security/sts-config" orawsp:name="STS
 Trust Configuration">
<orawsp:bindings>
<orawsp:Config orawsp:configType="declarative" orawsp:name="StsTrustConfig">
<orawsp:PropertySet orawsp:name="standard-security-properties">
<orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string">
<orawsp:Value>ultimateReceiver</orawsp:Value>
</orawsp:Property>
</orawsp:PropertySet>
</orawsp:Config>
</orawsp:bindings>
</orasp:sts-trust-config>

orasp:wss10-anonymous-with-certificates

The <orasp:wss10-anonymous-with-certificates> element provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

It contains the following subelements:

• orasp:x509-token

• orasp:msg-security

• orawsp:bindings

Example

<orasp:wss10-anonymous-with-certificates orawsp:Enforced="true"
 orawsp:Silent="false" orawsp:category="security/msg-protection" 
orawsp:name="WS-Security 1.0 Anonymous with certificates">
  <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" 
   orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" 
   orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:response>
    <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss10AnonWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss10-anonymous-with-certificates>

orasp:wss10-mutual-auth-with-certificates

The <orasp:wss10-mutual-auth-with-certificates> element enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

It contains the following subelements:

• orasp:x509-token

• orasp:msg-security

• orawsp:bindings

Example

<orasp:wss10-mutual-auth-with-certificates orawsp:Enforced="true" 
 orawsp:Silent="false" orawsp:category="security/authentication, 
 security/msg-protection" orawsp:name="WS-Security 1.0 Mutual Auth with 
 certificates">
  <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" 
   orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" 
   orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:response>
    <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss10AnonWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss10-mutual-auth-with-certificates>

orasp:wss10-saml-hok-with-certificates

The <orasp:wss1-saml-hok-with-certificates> element provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

It contains the following subelements:

• orasp:saml-token

• orasp:x509-token

• orasp:msg-security

• orawsp:bindings

Example

<orasp:wss10-saml-hok-with-certificates orawsp:Enforced="true" 
 orawsp:Silent="false" orawsp:category="security/authentication, 
 security/msg-protection" orawsp:name="WS-Security 1.0 SAML Holder Of Key
 with certificates">
  <orasp:saml-token orasp:confirmation-type="holder-of-key" 
   orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/>
  <orasp:x509-token orasp:enc-key-ref-mech="direct" 
   orasp:is-encrypted="false" orasp:is-signed="true" 
   orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" 
   orasp:sign-key-ref-mech="ski"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128"     
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
        <orasp:encrypted-parts>
          <orasp:body/>
        </orasp:encrypted-parts>
    </orasp:response>
    <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss10SamlHOKWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:name="keystore.recipient.alias" 
         orawsp:type="string">
          <orawsp:Value>orakey</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="saml.issuer.name" orawsp:type="string">
          <orawsp:Value>www.oracle.com</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="user.roles.include" orawsp:type="string">
          <orawsp:Value>false</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
          orawsp:name="saml.assertion.filename" orawsp:type="string">
          <orawsp:Value>temp</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss10-saml-hok-with-certificates>

orasp:wss10-saml-token

The <orasp:wss10-saml-token> element authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.

It contains the following subelements:

• orasp:saml-token

• orawsp:bindings

Example

<orasp:wss10-saml-token orawsp:Enforced="true" orawsp:Silent="false"
 orawsp:category="security/authentication" orawsp:name="WSSecurity SAML Token">
  <orasp:saml-token orasp:confirmation-type="sender-vouches" 
   orasp:is-encrypted="false" orasp:is-signed="false" orasp:version="1.1"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="WssSamlTokenConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
           orawsp:type="string">
            <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss10-saml-token>

orasp:wss10-saml-with-certificates

The <orasp:wss10-saml-with-certificates> element enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

It contains the following subelements:

• orasp:saml-token

• orasp:x509-token

• orasp:msg-security

• orawsp:bindings

Example

<orasp:wss10-saml-with-certificates orawsp:Enforced="true" 
 orawsp:Silent="false" orawsp:category="security/authentication, 
 security/msg-protection" orawsp:name="WS-Security 1.0 SAML with certificates">
  <orasp:saml-token orasp:confirmation-type="sender-vouches" 
   orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/>
  <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" 
   orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" 
   orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:response>
    <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss10SamlWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss10-saml-with-certificates>

orasp:wss10-username-with-certificates

The <orasp:wss10-username-with-certificates> element enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

It contains the following subelements:

• orasp:username-token

• orasp:x509-token

• orasp:msg-security

• orawsp:bindings

Example

<orasp:wss10-username-with-certificates orawsp:Enforced="true"
 orawsp:Silent="false" 
 orawsp:category="security/authentication, security/msg-protection" 
 orawsp:name="WS-Security 1.0 username with certificates">
  <orasp:username-token orasp:add-created="false" orasp:add-nonce="false" 
   orasp:is-encrypted="true" orasp:is-signed="true" 
   orasp:password-type="plaintext"/>
  <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" 
   orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" 
   orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
   </orasp:response>
   <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss10UsernameWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss10-username-with-certificates>

orasp:wss11-anonymous-with-certificates

The <orasp:wss11-anonymous-with-certificates> element provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

It contains the following subelements:

• orasp:x509-token

• orasp:msg-security

• orawsp:bindings

Example

<orasp:wss11-anonymous-with-certificates orawsp:Enforced="true"
 orawsp:Silent="false" orawsp:category="security/msg-protection" 
 orawsp:name="WS-Security 1.0 Anonymous with certificates">
  <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" 
   orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" 
   orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:response>
    <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss11AnonWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss11-anonymous-with-certificates>

orasp:wss11-mutual-auth-with-certificates

The <orasp:wss11-mutual-auth-with-certificates> element enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

It contains the following subelements:

• orasp:x509-token

• orasp:msg-security

• orawsp:bindings

Example

<orasp:wss11-mutual-auth-with-certificates orawsp:Enforced="true"
  orawsp:Silent="false" orawsp:category="security/authentication,
  security/msg-protection" 
  orawsp:name="WS-Security 1.1 Mutual Auth with certificates">
  <orasp:x509-token orasp:enc-key-ref-mech="thumbprint" 
   orasp:is-encrypted="false" orasp:is-signed="true" 
   orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128"
   orasp:confirm-signature="false" orasp:encrypt-signature="false" 
   orasp:include-timestamp="true" orasp:sign-then-encrypt="true" 
   orasp:use-derived-keys="false">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:response>
    <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss10AnonWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:name="keystore.recipient.alias" 
         orawsp:type="string">
           <orawsp:Value>orakey</orawsp:Value>
        </orawsp:Property>
     </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss11-mutual-auth-with-certificates>

orasp:wss11-saml-with-certificates

The <orasp:wss11-saml-with-certificates> element enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

It contains the following subelements:

• orasp:saml-token

• orasp:x509-token

• orasp:msg-security

• orawsp:bindings

Example

<orasp:wss11-saml-with-certificates orawsp:Enforced="true" 
 orawsp:Silent="false" orawsp:category="security/authentication, 
 security/msg-protection" orawsp:name="WS-Security 1.1 SAML with certificates">
  <orasp:saml-token orasp:confirmation-type="sender-vouches" 
   orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/>
  <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" 
   orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" 
   orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:response>
    <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss11SamlWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss11-saml-with-certificates>

orasp:wss11-sts-issued-token-with-certificates

The <orasp:wss11-sts-issued-token-with-certificates> element enforces insertion of an assertion issued by a trusted STS. Messages are protected using proof key material provided by the STS, the client, or both.

It contains the following subelements:

• orasp:issued-token

• orasp:x509-token

• orasp:msg-security

• orawsp:bindings

Attributes

The following table summarizes the attributes of the <orasp:wss11-sts-issued-token-with-certificates> element.

Table D-9 Attributes of <orasp:wss11-sts-issued-token-with-certificates> Element

Attribute	Description
trust-version	WS-Trust version.
require-client-entropy	If a symmetric proof key is required by the Web service's security policy, this flag specifies whether the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required.
require-server-entropy	If a symmetric proof key is required by the Web service's security policy, this flag specifies whether the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required.
require-applies-to	Optional element in the RST. Flag that specifies whether Oracle WSM sends the endpoint address of the Web service for which the token is being requested. The default behavior is to always send the appliesTo element in the message from the client to the STS.

Example

<orasp:wss11-sts-issued-token-with-certificates
xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"
xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"
orasp:require-applies-to="true" orasp:require-client-entropy="true"
orasp:require-server-entropy="true" orasp:trust-version="13"
orawsp:Enforced="true" orawsp:Silent="false"
orawsp:category="security/authentication, security/msg-protection"
orawsp:name="WS-Security 1.1, issued token">
<orasp:issued-token orasp:require-external-reference="true"
orasp:require-internal-reference="true" orasp:use-derived-keys="false">
<orasp:request-security-token-template orasp:algorithm-suite="Basic128"
orasp:key-type="Symmetric" orasp:token-type="SAML11"/>
</orasp:issued-token>
<orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false"
orasp:is-signed="true" orasp:sign-key-ref-mech="thumbprint"/>
<orasp:msg-security orasp:algorithm-suite="Basic128"
orasp:confirm-signature="true" orasp:encrypt-signature="false"
orasp:include-timestamp="true" orasp:sign-then-encrypt="true"
orasp:use-derived-keys="false">
<orasp:request>
<orasp:signed-parts>
<orasp:body/>
<orasp:header orasp:namespace="http://www.w3.org/2005/08/addressing"/>
<orasp:header orasp:namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<orasp:header orasp:name="fmw-context" orasp:namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
</orasp:signed-parts>
<orasp:encrypted-parts>
<orasp:body/>
<orasp:header orasp:name="fmw-context" orasp:namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
</orasp:encrypted-parts>
</orasp:request>
<orasp:response>
<orasp:signed-parts>
<orasp:body/>
</orasp:signed-parts>
<orasp:encrypted-parts>
<orasp:body/>
</orasp:encrypted-parts>
</orasp:response>
<orasp:fault/>
</orasp:msg-security>
<orawsp:bindings>
<orawsp:Config orawsp:configType="declarative"
 orawsp:name="Wss11StsIssuedTokenWithCertsConfig">
<orawsp:PropertySet orawsp:name="standard-security-properties">
<orawsp:Property orawsp:contentType="optional"
 orawsp:name="sts.auth.user.csf.key" orawsp:type="string">
<orawsp:Value/>
</orawsp:Property>
<orawsp:Property orawsp:contentType="optional"
 orawsp:name="sts.auth.x509.csf.key" orawsp:type="string">
<orawsp:Value>enc-csf-key</orawsp:Value>
</orawsp:Property>
<orawsp:Property orawsp:name="on.behalf.of" orawsp:type="boolean">
<orawsp:Value>false</orawsp:Value>
</orawsp:Property>
<orawsp:Property orawsp:contentType="optional"
 orawsp:name="sts.auth.on.behalf.of.csf.key" orawsp:type="string">
<orawsp:Value/>
</orawsp:Property>
<orawsp:Property orawsp:name="keystore.recipient.alias" orawsp:type="string">
<orawsp:Value>orakey</orawsp:Value>
</orawsp:Property>
<orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.enc.csf.key"
 orawsp:type="string">
<orawsp:Value/>
</orawsp:Property>
<orawsp:Property orawsp:contentType="optional"
 orawsp:name="sts.auth.service.principal.name" orawsp:type="string">
<orawsp:Value>HOST/localhost@EXAMPLE.COM</orawsp:Value>
</orawsp:Property>
<orawsp:Property orawsp:contentType="optional"
 orawsp:name="sts.auth.keytab.location" orawsp:type="string">
<orawsp:Value/>
</orawsp:Property>
<orawsp:Property orawsp:contentType="optional" orawsp:name="sts.auth.caller.principal.name" orawsp:type="string">
<orawsp:Value/>
</orawsp:Property>
</orawsp:PropertySet>
</orawsp:Config>
</orawsp:bindings>
</orasp:wss11-sts-issued-token-with-certificates>

orasp:wss11-username-with-certificates

The <orasp:wss11-username-with-certificates> element enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

It contains the following subelements:

• orasp:username-token

• orasp:x509-token

• orasp:msg-security

• orawsp:bindings

Example

<orasp:wss11-username-with-certificates orawsp:Enforced="true"
 orawsp:Silent="false" 
 orawsp:category="security/authentication, security/msg-protection" 
 orawsp:name="WS-Security 1.1 username with certificates">
  <orasp:username-token orasp:add-created="false" orasp:add-nonce="false" 
   orasp:is-encrypted="true" orasp:is-signed="true" 
   orasp:password-type="plaintext"/>
  <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" 
   orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" 
   orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/>
  <orasp:msg-security orasp:algorithm-suite="Basic128" 
   orasp:encrypt-signature="false" orasp:include-timestamp="true" 
   orasp:sign-then-encrypt="true">
    <orasp:request>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
    </orasp:request>
    <orasp:response>
      <orasp:signed-parts>
        <orasp:body/>
      </orasp:signed-parts>
      <orasp:encrypted-parts>
        <orasp:body/>
      </orasp:encrypted-parts>
   </orasp:response>
   <orasp:fault/>
  </orasp:msg-security>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="Wss11UsernameWithCertsConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss11-username-with-certificates>

orasp:wss-saml-token-bearer-over-ssl

The <orasp:wss-saml-token-bearer-over-ssl> element authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.

It contains the following subelements:

• orasp:saml-token

• orasp:require-tls

• orawsp:bindings

Example

<orasp:wss-saml-token-bearer-over-ssl orawsp:Enforced="true"
 orawsp:Silent="false" 
 orawsp:category="security/authentication, security/msg-protection" 
 orawsp:name="WSSecurity Saml Token With Confirmation method Bearer Over SSL ">
  <orasp:saml-token orasp:confirmation-type="bearer" orasp:is-encrypted="false" 
   orasp:is-signed="false" orasp:version="1.1"/>
  <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="WssSamlTokenBearerOverSSLConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="saml.issuer.name" orawsp:type="string">
          <orawsp:Value>www.oracle.com</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="user.roles.include" orawsp:type="string">
          <orawsp:Value>false</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss-saml-token-bearer-over-ssl>

orasp:wss-saml-token-over-ssl

The <orasp:wss-saml-token-over-ssl> element enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

It contains the following subelements:

• orasp:saml-token

• orasp:require-tls

• orawsp:bindings

Example

<orasp:wss-saml-token-over-ssl orawsp:Enforced="true" orawsp:Silent="false" 
 orawsp:category="security/authentication, security/msg-protection" 
 orawsp:name="WSSecurity SAML Token Over SSL">
  <orasp:saml-token orasp:confirmation-type="sender-vouches" 
   orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/>
  <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="true"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="WssSamlTokenOverSSLConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="saml.issuer.name" orawsp:type="string">
          <orawsp:Value>www.oracle.com</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="user.roles.include" orawsp:type="string">
          <orawsp:Value>false</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss-saml-token-over-ssl>

orasp:wss-sts-issued-token-over-ssl

The <orasp:wss-sts-issued-token-over-ssl> element enforces authentication of a SAML assertion issued by a trusted STS. Messages are protected using SSL

It contains the following subelements:

• orasp:issued-token

• orasp:require-tls

• orawsp:bindings

Attributes

The following table summarizes the attributes of the <orasp:wss-sts-issued-token-over-ssl> element.

Table D-10 Attributes of <orasp:wss-sts-issued-token-over-ssl> Element

Attribute	Description
trust-version	WS-Trust version.
require-client-entropy	If a symmetric proof key is required by the Web service's security policy, this flag specifies whether the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required.
require-server-entropy	If a symmetric proof key is required by the Web service's security policy, this flag specifies whether the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required.
require-applies-to	Optional element in the RST. Flag that specifies whether Oracle WSM sends the endpoint address of the Web service for which the token is being requested. The default behavior is to always send the appliesTo element in the message from the client to the STS.

Example

<orasp:wss-sts-issued-token-over-ssl
xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"
xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"
orasp:require-applies-to="true" orasp:require-client-entropy="true"
orasp:require-server-entropy="true" orasp:trust-version="13"
orawsp:Enforced="true" orawsp:Silent="false"
orawsp:category="security/authentication, security/msg-protection"
orawsp:name="WS-Security 1.1, issued token over ssl">
<orasp:issued-token orasp:require-external-reference="true"
orasp:require-internal-reference="true" orasp:use-derived-keys="false">
<orasp:request-security-token-template orasp:key-type="Bearer" orasp:token-type="SAML11"/>
</orasp:issued-token>
<orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/>
<orawsp:bindings>
<orawsp:Config orawsp:configType="declarative" orawsp:name="WssStsIssuedTokenOverSSLConfig">
<orawsp:PropertySet orawsp:name="standard-security-properties">
<orawsp:Property orawsp:contentType="constant" orawsp:name="role"
 orawsp:type="string">
<orawsp:Value>ultimateReceiver</orawsp:Value>
</orawsp:Property>
</orawsp:PropertySet>
</orawsp:Config>
</orawsp:bindings>
</orasp:wss-sts-issued-token-over-ssl>

orasp:wss-username-token

The <orasp:wss-username-token> element enforces authentication with username and password credentials in the WS-Security UsernameToken SOAP header.

It contains the following subelements:

• orasp:username-token

• orawsp:bindings

Example

<orasp:wss-username-token orawsp:Enforced="true" orawsp:Silent="false"
 orawsp:category="security/authentication"
 orawsp:name="WSSecurity UserName Token">
  <orasp:username-token orasp:add-created="false" orasp:add-nonce="false" 
   orasp:is-encrypted="true" orasp:is-signed="true" 
   orasp:password-type="plaintext"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="WssUsernameTokenConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss-username-token>

orasp:wss-username-token-over-ssl

The <orasp:wss-username-token-over-ssl> element uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the Oracle Platform Security Services configured identity store.

It contains the following subelements:

• orasp:username-token

• orasp:require-tls

• orawsp:bindings

Example

<orasp:wss-username-token-over-ssl orawsp:Enforced="true" orawsp:Silent="false"
 orawsp:category="security/authentication, security/msg-protection" 
 orawsp:name="WSSecurity UserName Token Over SSL">
  <orasp:username-token orasp:add-created="true" orasp:add-nonce="true" 
   orasp:is-encrypted="true" orasp:is-signed="true" 
   orasp:password-type="plaintext"/>
  <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" 
     orawsp:name="WssUsernameTokenOverSSLConfig">
      <orawsp:PropertySet orawsp:name="standard-security-properties">
        <orawsp:Property orawsp:contentType="constant" orawsp:name="role" 
         orawsp:type="string">
          <orawsp:Value>ultimateReceiver</orawsp:Value>
        </orawsp:Property>
      </orawsp:PropertySet>
    </orawsp:Config>
  </orawsp:bindings>
</orasp:wss-username-token-over-ssl>

rm:RMAssertion

The <rm:RMAssertion> element provides support for version 1.0 and version 1.1 of the Web Services Reliable Messaging protocol. The version supported depends on the XML schema namespace value used:

• WS-ReliableMessaging 1.1: http://docs.oasis-open.org/ws-rx/wsrmp/200702

• WS-ReliableMessaging 1.0: http://schemas.xmlsoap.org/ws/2005/02/rm/policy

This policy can be attached to any SOAP-based client or endpoint. Full support for this feature may require additional programming.

The <rm:RMAssertion> element contains the following subelement:

• orawsp:bindings

Example

<rm:RMAssertion xmlns:rm="http://schemas.xmlsoap.org/ws/2005/02/rm/policy" 
  orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="wsrm" 
orawsp:description="i18n:oracle.wsm.resources.policydescription.PolicyDescriptionBundle_oracle/wsrm10_policy_RMAssertion_AssertionDescKey" 
 orawsp:name="RM 1.0">
  <wsp:Policy/>
  <orawsp:bindings>
    <orawsp:Config orawsp:name="RMConfig">
      <orawsp:PropertySet orawsp:name="standard-wsrm-properties">
        <orawsp:Property orawsp:name="DeliveryAssurance" orawsp:type="string">
          <orawsp:Description>Delivery Assurance. Possible values 
           (case-insensitive) are InOrder,  AtLeastOnce, AtLeastOnceInOrder, 
           ExactlyOnce, ExactlyOnceInOrder, AtMostOnce, 
           AtMostOnceInOrder.</orawsp:Description>
          <orawsp:Value>inorder</orawsp:Value>
          <orawsp:DefaultValue>inorder</orawsp:DefaultValue>
        </orawsp:Property>
        <orawsp:Property orawsp:name="StoreType" orawsp:type="string">
          <orawsp:Description>The type of message store used. Possible values 
           (case-insensitive) areInMemory, JDBC.</orawsp:Description>
          <orawsp:Value>inmemory</orawsp:Value>
          <orawsp:DefaultValue>inmemory</orawsp:DefaultValue>
        </orawsp:Property>
        <orawsp:Property orawsp:name="StoreName" orawsp:type="string">
          <orawsp:Description>The name of the message store.
          </orawsp:Description>
          <orawsp:Value>oracle</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:contentType="optional" 
         orawsp:name="jdbc-connection-name" orawsp:type="string">
          <orawsp:Description>The JNDI reference to a JDBC data source, when 
           the store type is JDBC.</orawsp:Description>
          <orawsp:Value>jdbc/MessagesStore</orawsp:Value>
        </orawsp:Property>
        <orawsp:Property orawsp:name="InactivityTimeout" orawsp:type="int">
          <orawsp:Description>The inactivity timeout duration, specified in 
           milliseconds.</orawsp:Description>
          <orawsp:Value>600000</orawsp:Value>
         </orawsp:Property>
         <orawsp:Property orawsp:name="BaseRetransmissionInterval" 
          orawsp:type="int">
           <orawsp:Description>The base retransmission interval, specified in 
            milliseconds.</orawsp:Description>
           <orawsp:Value>3000</orawsp:Value>
         </orawsp:Property>
       </orawsp:PropertySet>
     </orawsp:Config>
  </orawsp:bindings>
</rm:RMAssertion>

wsaw:UsingAddressing

The <wsaw:UsingAddressing> element causes the platform to check inbound messages for the presence of WS-Addressing headers conforming to the W3C 2005 Final WS-Addressing Policy standard. In addition, it causes the platform to include a WS-Addressing header in outbound SOAP messages.

The <wsaw:UsingAddressing> element contains the following subelement:

• orawsp:bindings

Example

<wsaw:UsingAddressing xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" 
 orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="addressing" 
 orawsp:name="WS-Addressing 2005">
  <orawsp:bindings>
    <orawsp:Config orawsp:name="added-from-em"/>
  </orawsp:bindings>
</wsaw:UsingAddressing>

wsoma:OptimizedMimeSerialization

The <wsoma:OptimizedMimeSerialization> element rejects inbound messages that are not in MTOM format and verifies that outbound messages are in MTOM format. MTOM refers to specifications http://www.w3.org/TR/2005/REC-soap12-mtom-20050125 and http://www.w3.org/Submission/2006/SUBM-soap11mtom10-20060405 for SOAP 1.2 and SOAP 1.1 bindings, respectively.

The <wsoma:OptimizedMimeSerialization> element contains the following subelement:

• orawsp:bindings

Example

<wsoma:OptimizedMimeSerialization 
 xmlns:wsoma=
 "http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization" 
 orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="mtom" 
 orawsp:name="MTOM">
  <orawsp:bindings>
    <orawsp:Config orawsp:name="added-from-em"/>
  </orawsp:bindings>
</wsoma:OptimizedMimeSerialization>

oralgp:fault

The <oralgp:fault> element configures logging for the fault message. Valid values include:

• all—Log the entire SOAP message.

• header—Log SOAP header information only.

• soap_body—Log SOAP body information only.

• soap_envelope—Log SOAP envelope information only.

Example

<oralgp:msg-log>
  <oralgp:request>all</oralgp:request>
  <oralgp:response>all</oralgp:response>
  <oralgp:fault>all</oralgp:fault>
</oralgp:msg-log>

oralgp:request

The <oralgp:request> element configures logging for the request message. Valid values include:

• all—Log the entire SOAP message.

• header—Log SOAP header information only.

• soap_body—Log SOAP body information only.

• soap_envelope—Log SOAP envelope information only.

Example

<oralgp:msg-log>
  <oralgp:request>all</oralgp:request>
  <oralgp:response>all</oralgp:response>
  <oralgp:fault>all</oralgp:fault>
</oralgp:msg-log>

oralgp:response

The <oralgp:response> element configures logging for the response message. Valid values include:

• all—Log the entire SOAP message.

• header—Log SOAP header information only.

• soap_body—Log SOAP body information only.

• soap_envelope—Log SOAP envelope information only.

Example

<oralgp:msg-log>
  <oralgp:request>all</oralgp:request>
  <oralgp:response>all</oralgp:response>
  <oralgp:fault>all</oralgp:fault>
</oralgp:msg-log>

oralgp:msg-log

The <oralgp:msg-log> element configures logging for the request, response, and fault messages. The <oralgp:msg-log> element contains the following subelements:

• oralgp:request

• oralgp:response

• oralgp:fault

Example

<oralgp:msg-log>
  <oralgp:request>all</oralgp:request>
  <oralgp:response>all</oralgp:response>
  <oralgp:fault>all</oralgp:fault>
</oralgp:msg-log>

orasp:attachment

The <orasp:attachment> element defines the attachment information.

Attributes

The following table summarizes the attributes of the <orasp:attachment> element.

Table D-11 Attributes of <orasp:attachment> Element

Attribute	Description
include-mime-headers	Flag that specifies whether or include MIME headers. Valid values include true or false.

Example

<orasp:signed-parts>
  <orasp:header orasp:name="From" 
    orasp:namespace="http://www.w3.org/2005/08/addressing"/>
   <orasp:attachment orasp:include-mime-headers="false"/>
</orasp:signed-parts>

orasp:auth-header

The <orasp:auth-header> element specifies the name of the authentication header.

Attributes

The following table summarizes the attribute of the <orasp:auth-header> element.

Table D-12 Attributes of <orasp:auth-header> Element

Attribute	Description
mechanism	Authentication mechanism. Valid values include: basic—Client authenticates itself by transmitting the username and password. digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest. cert—Client authenticates itself by transmitting a certificate. custom—Custom authentication mechanism.

Examples

<orasp:auth-header orasp:mechanism="basic"/>

orasp:body

The <orasp:body> element defines the message body elements that are signed and encrypted. To include the entire body, specify the body element as follows: <orasp:body/>.

Example

<orasp:request>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:request>

orasp:check-permission

The <orasp:check-permission> element specifies that permissions are to be checked.

Example

<orasp:binding-permission-authorization orawsp:Enforced="true"
 orawsp:Silent="true" orawsp:category="security/authorization" 
 orawsp:name="J2EE Permission Based Authorization">
  <orasp:check-permission/>
  ...
</orasp:binding-permission-authorization>

orasp:coreid-token

The <orasp:coreid-token> element defines the OAM token.

Attributes

The following table summarizes the attributes of the <orasp:coreid-token> element.

Table D-13 Attributes of <orasp:coreid-token> Element

Attribute	Description
is-encrypted	Flag that specifies whether the assertion is encrypted. Valid values include true or false.
is-signed	Flag that specifies whether the assertion is signed. Valid values include true or false.

Example

<orasp:coreid-token orasp:is-encrypted="false" orasp:is-signed="false"/> 

orasp:denyAll

The <orasp:denyAll> element denies all users with any roles.

Example

<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true" 
 orawsp:category="security/authorization" 
 orawsp:name="J2EE services Authorization">
  <orasp:denyAll/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/>
  </orawsp:bindings>
  <orawsp:guard/>
</orasp:binding-authorization>

orasp:element

The <orasp:element> element defines a header or body element that is signed or encrypted.

Attributes

The following table summarizes the attributes of the <orasp:element> element.

Table D-14 Attributes of <orasp:element> Element

Attribute	Description
name	Name of the header or body element.
namespace	Namespace.

Example

<orasp:signed-elements>
  <orasp:element orasp:name="BodyElement" 
   orasp:namespace="http://www.w3.org/2005/08/addressing">n/a</orasp:element>
</orasp:signed-elements>

orasp:encrypted-elements

The <orassp:encrypted-elements> element defines the message body elements that are signed. This element is valid if <orasp:encrypted-parts> is not set to <orasp:body/>

The <orassp:encrypted-parts> element contains the following subelement:

• orasp:element

Example

<orasp:encrypted-elements>
  <orasp:element orasp:name="Myhead" 
   orasp:namespace="http://www.w3.org/2005/08/addressing">n/a</orasp:element>
</orasp:encrypted-elements>

orasp:encrypted-parts

The <orasp:encrypted-parts> element defines the message parts that are encrypted.

The <orasp:encrypted-parts> element contains one or more of the following subelements:

• orasp:body

• orasp:header

• orasp:attachment

Example

<orasp:request>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:request>

orasp:fault

The <orasp:fault> element defines the message body elements that are signed and encrypted in the fault message. The <orasp:fault> element contains the following subelements:

• orasp:signed-parts

• orasp:encrypted-parts

Example

<orasp:response>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:response>

orasp:header

The <orasp:header> element defines a header element.

Attributes

The following table summarizes the attributes of the <orasp:header> element.

Table D-15 Attributes of <orasp:header> Element

Attribute	Description
name	Name of the header element. The default header elements in the predefined namespace include: To, From, FaultTo, ReplyTo, MessageID, RelatesTo, and Action.
namespace	Namespace. The predefined namespace is as follows: http://www.w3.org/2005/08/addressing.

Example

<orasp:signed-parts>
  <orasp:header orasp:name="From" 
    orasp:namespace="http://www.w3.org/2005/08/addressing"/>
   <orasp:attachment orasp:include-mime-headers="false"/>
</orasp:signed-parts>

orasp:issued-token

The <orasp:issued-token> element enforces token characteristics.

Attributes

The following table summarizes the attributes of the <orasp:issued-token> element.

Table D-16 Attributes of <orasp:issued-token> Element

Attribute	Description
use-derived-keys	Flag that specifies whether derived keys are required. Possible values are True and False.
require-internal-reference	Flag that specifies whether internal reference to the token is required. Possible values are True and False.
require-external-reference	Flag that specifies whether external reference to the token is required. Possible values are True and False.

Example

<orasp:issued-token orasp:require-external-reference="true"
 orasp:require-internal-reference="true" orasp:use-derived-keys="false">

orasp:kerberos-token

The <orasp:kerberos-token> element defines the kerberos token.

Attributes

The following table summarizes the attributes of the <orasp:kerberos-token> element.

Table D-17 Attributes of <orasp:kerberos-token> Element

Attribute	Description
is-encrypted	Flag that specifies whether the assertion is encrypted. Valid values include true or false.
is-signed	Flag that specifies whether the assertion is signed. Valid values include true or false.
type	Type of Kerberos token. The only valid value is gss-apreq-v5 (Kerberos Version 5 GSS-API).

Example

<orasp:kerberos-token orasp:is-encrypted="false" orasp:is-signed="false" 
 orasp:type="gss-apreq-v5"/> 

orasp:msg-security

The <orassp:msg-security> element defines message security for the policy. You define the body elements that are signed and encrypted for the request, response, and fault.

The <orasp:msg-security> element contains the following subelements:

• orasp:request

• orasp:response

• orasp:fault

Attributes

The following table summarizes the attributes of the <orasp:msg-security> element.

Table D-18 Attributes of <orasp:msg-security> Element

Attribute	Description
algorithm-suite	Defines the algorithm suite that is used for message protection. For example, Basic128. For more information, see "Supported Algorithm Suites".
confirm-signature	Flag that specifies whether to send a signature confirmation back to the client. Valid values inlcude true or false.
encrypt-signature	Flag that specifies whether to send a encryption confirmation back to the client. Valid values inlcude true or false.
include-timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.
sign-then-encyrpt	Flag that specifies whether to sign the message before encrypting the message.
use-derived-keys	Flag that specifies whether to use derived keys.

Example

<orasp:msg-security orasp:algorithm-suite="Basic128"
orasp:confirm-signature="false" orasp:encrypt-signature="false" 
orasp:include-timestamp="true" orasp:sign-then-encrypt="true" 
orasp:use-derived-keys="false">
  <orasp:request>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:request>
  <orasp:response>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:response>
  <orasp:fault/>
</orasp:msg-security>

orasp:permitAll

The <orasp:permitAll> element permits all users with any roles.

Example

<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true" 
 orawsp:category="security/authorization" 
 orawsp:name="J2EE services Authorization">
  <orasp:permitAll/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/>
  </orawsp:bindings>
</orasp:binding-authorization>

orasp:request

The <orasp:request> element defines the message body elements that are signed and encrypted in the request message. The <orasp:request> element contains the following subelements:

• orasp:signed-parts

• orasp:encrypted-parts

Example

<orasp:request>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:request>

orasp:require-tls

The <orasp:require-tls> element specifies whether two-way authentication is required.

Attributes

The following table summarizes the attributes of the <orasp:require-tls> element.

Table D-19 Attributes of <orawsp:require-tls> Element

Attribute	Description
include-timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.
mutual-auth	Flag that specifies whether two-way authentication is required. Valid values include true or false.

Examples

<orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/>

orasp:response

The <orassp:response> element defines the message body elements that are signed and encrypted in the response message. The <oraswsp:response> element contains the following subelements:

• orasp:signed-parts

• orasp:encrypted-parts

Example

<orasp:response>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:response>

orasp:role

The <orasp:role> element defines the roles that are permitted access.

Attribute

The following table summarizes the attribute of the <orasp:role> element.

Table D-20 Attributes of <orasp:role> Element

Attribute	Description
name	Name of the role. Valid roles include: Monitor AdminChannelUsers Administrators OracleSystemGroup Operators CrossDomainConnectors Deployers AppTesters

Example

<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true"
  orawsp:category="security/authorization" orawsp:description="" 
  orawsp:name="J2EE services Authorization">
  <orasp:role orasp:name="Monitors"/>
  <orasp:role orasp:name="AdminChannelUsers"/>
  <orawsp:bindings>
    <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/>
  </orawsp:bindings>
</orasp:binding-authorization>

orasp:saml-token

The <orasp:saml-token> element configures the SAML token.

Attributes

The following table summarizes the attributes of the <orasp:saml-token> element.

Table D-21 Attributes of <orasp:saml-token> Element

Attribute	Description
confirmation-type	Confirmation type. Valid values include: sender-vouches and holder-of-key. sender-vouches holder-of-key bearer
is-encrypted	Flag that specifies whether the assertion is encrypted. Valid values include true or false.
is-signed	Flag that specifies whether the assertion is signed. Valid values include true or false.
version	SAML version. Valid values include: 1.1 and 2.0.

Example

<orasp:saml-token orasp:confirmation-type="holder-of-key" 
 orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/>

orasp:signed-elements

The <orassp:signed-elements> element defines the message body elements that are signed. This element is valid if <orasp:signed-parts> is not set to <orasp:body/>

The <orassp:signed-elements> element contains the following subelement:

• orasp:element

Example

<orasp:signed-elements>
  <orasp:element orasp:name="Myhead" 
   orasp:namespace="http://www.w3.org/2005/08/addressing">n/a</orasp:element>
</orasp:signed-elements>

orasp:signed-parts

The <orasp:signed-parts> element defines the message parts that are signed.

The <orasp:signed-parts> element contains one or more of the following subelements:

• orasp:body

• orasp:header

• orasp:attachment

Example

<orasp:request>
    <orasp:signed-parts>
      <orasp:body/>
    </orasp:signed-parts>
    <orasp:encrypted-parts>
      <orasp:body/>
    </orasp:encrypted-parts>
  </orasp:request>

orasp:username-token

The <orasp:username-token> element configures the SAML token.

Attributes

The following table summarizes the attributes of the <orasp:username-token> element.

Table D-22 Attributes of <orasp:username-token> Element

Attribute	Description
add-created	Flag that specifies whether a time stamp for the creation of the username token is required. Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.
add-nonce	Flag that specifies whether a nonce must be included with the username to prevent replay attacks. Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.
is-encrypted	Flag that specifies whether the username is encrypted. Valid values include true or false.
is-signed	Flag that specifies whether the username is signed. Valid values include true or false.
password-type	Type of password required. Valid values are: none—No password. plaintext—Unencrypted password in clear text. digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.

Example

<orasp:username-token 
  orasp:add-created="false" 
  orasp:add-nonce="false" 
  orasp:is-encrypted="true" 
  orasp:is-signed="true" 
  orasp:password-type="plaintext"/>

orasp:x509-token

The <orasp:x509-token> element defines the x.509 digital certificate.

Attributes

The following table summarizes the attributes of the <orasp:x509-token> element.

Table D-23 Attributes of <orasp:x509-token> Element

Attribute	Description
sign-key-ref-mech	Mechanism used when signing the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it. thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead. This value is valid for Encryption Key Reference Mechanism only (described below.)
enc-key-ref-mech	Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.
rcpt-sign-key-ref-mech	Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above.
rcpt-enc-key-ref-mech	Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.
is-encrypted	Flag that specifies whether the assertion is encrypted. Valid values include true or false.
is-signed	Flag that specifies whether the assertion is signed. Valid values include true or false.

Example

<orasp:x509-token orasp:enc-key-ref-mech="thumbprint" 
 orasp:is-encrypted="false" orasp:is-signed="true" 
 orasp:sign-key-ref-mech="direct"/>

orawsp:Description

The <oraswsp:Description> element provides a description of the property.

Example

<orawsp:Description>Valid IP Values</orawsp:Description>