This appendix summarizes the predefined policies and contains the following sections:
Oracle has been instrumental in contributing to emerging standards, in particular the specifications hosted by the OASIS Web Services Secure Exchange technical committee. Oracle has contributed to the OASIS WS-SX technical committee several practical security scenarios, a subset of which are implemented in the predefined policies.
Note:
For information about WebLogic Web service policies, see Securing WebLogic Web Services for Oracle WebLogic Server.
The following sections describe the security policies.
The following authentication only policies are provided for SOAP and RESTful Web services.
Table B-1 summarizes the security policies that enforce authentication only and can be attached to both SOAP and RESTful Web services.
Table B-1 Authentication Only Policies—SOAP and RESTful Web Services
Client Policy | Service Policy | Authentication Transport |
---|---|---|
Yes |
||
Yes |
||
Yes |
||
N/A |
Yes |
|
Yes |
||
Yes |
||
Attach one of the following:
To support HTTP OAM security, you must configure OAM Webgate to intercept the request. For more information, see "oracle/multi_token_rest_service_policy". |
Yes |
|
Attach one of the following:
To support HTTP OAM security, you must configure OAM Webgate to intercept the request. For more information, see "oracle/multi_token_over_ssl_rest_service_policy". |
Yes |
Table B-2 summarizes the security policies that enforce authentication only for SOAP Web services and indicates whether the token is inserted at the transport layer or SOAP header.
Table B-2 Authentication Only Policies—SOAP Web Services Only
Client Policy | Service Policy | Authentication Transport | Authentication SOAP |
---|---|---|---|
Yes |
No |
||
No |
Yes |
||
No |
Yes |
||
No |
Yes |
||
No |
Yes |
This policy includes credentials in the HTTP header for outbound client requests. This policy verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based client endpoint.
Note:
Currently only HTTP basic authentication is supported.
This policy contains the following policy assertion: oracle/wss_http_token_over_ssl_service_template. See "oracle/wss_http_token_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/http_basic_auth_over_ssl_service_policy".
This policy uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. This policy verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based endpoint.
Note:
This policy functions similarly to oracle/wss_http_token_over_ssl_service_policy. The only difference is that oracle/wss_http_token_over_ssl_service_policy
enables the include-timestamp
attribute in the require-tls
element to prevent replay attacks, a feature that is not applicable to RESTful services. For more information about the require-tls
element, see "orasp:require-tls".
Currently only HTTP basic authentication is supported.
This policy contains the following policy assertion: oracle/wss_http_token_over_ssl_service_template. See "oracle/wss_http_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/http_basic_auth_over_ssl_service_policy".
This policy includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declaratively through the policy. You can specify the audience restriction condition for this policy.
This policy can be enforced on any HTTP-based client endpoint.
This policy contains the following policy assertion: oracle/http_jwt_token_client_template. See "oracle/http_jwt_token_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/http_jwt_token_client_policy".
This policy authenticates users using the username provided in the JWT token in the HTTP header.
This policy can be applied to any HTTP-based endpoint.
This policy contains the following policy assertion: oracle/http_jwt_token_service_template. See "oracle/http_jwt_token_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/http_jwt_token_client_policy".
This policy includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declaratively through the policy. You can specify the audience restriction condition for this policy.
This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused.
This policy can be enforced on any HTTP-based client endpoint.
This policy contains the following policy assertion: oracle/http_jwt_token_over_ssl_client_template. See "oracle/http_jwt_token_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/http_jwt_token_client_policy".
This policy authenticates users using the username provided in the JWT token in the HTTP header. This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused.
This policy can be applied to any HTTP-based endpoint.
This policy contains the following policy assertion: oracle/http_jwt_token_over_ssl_service_template. See "oracle/http_jwt_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/http_jwt_token_client_policy".
This policy verifies that the OAM agent has authenticated the user and has established an identity. This policy can be enforced on any HTTP-based endpoint.
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion: oracle/http_oam_token_service_template. See "oracle/http_oam_token_service_template" for more information about the assertion.
For more information about configuring the policy, see "oracle/http_oam_token_service_policy".
This policy includes a SAML Bearer V2.0 token in the HTTP header. The SAML token with confirmation method Bearer is created automatically. This policy can be enforced on any HTTP-based client endpoint.
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion: oracle/http_saml20_token_bearer_client_template. See "oracle/http_saml20_token_bearer_client_template" for more information about the assertion.
For more information about configuring the policy, see "oracle/http_saml20_token_bearer_client_policy".
This policy authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header. The credentials in the SAML token are authenticated against a SAML v2.0 login module. This policy can be enforced on any HTTP-based endpoint.
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion: oracle/http_saml20_token_bearer_service_template. See "oracle/http_saml20_token_bearer_service_template" for more information about the assertion.
For more information about configuring the policy, see "oracle/http_saml20_bearer_token_service_policy".
This policy includes a SAML Bearer v2.0 token in the HTTP header. The SAML token with confirmation method Bearer is created automatically. The policy verifies that the transport protocol provides SSL message protection. This policy can be attached to any HTTP-based client endpoint.
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion: oracle/http_saml20_token_bearer_client_template. See "oracle/http_saml20_token_bearer_client_template" for more information about the assertion.
For more information about configuring the policy, see "oracle/http_saml20_bearer_token_over_ssl_client_policy".
This policy authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header. The credentials in the SAML token are authenticated against a SAML v2.0 login module. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any HTTP-based endpoint.
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion: oracle/http_saml20_token_bearer_service_template. See "oracle/http_saml20_token_bearer_service_template" for more information about the assertion.
For more information about configuring the policy, see "oracle/http_saml20_bearer_token_over_ssl_service_policy".
This policy enforces one of the following authentication policies, based on the token sent by the client:
HTTP Basic—Extracts username and password credentials from the HTTP header.
SAML 2.0 Bearer token in the HTTP header—Extracts SAML 2.0 Bearer assertion in the HTTP header.
HTTP OAM security—Verifies that the OAM agent has authenticated user and establishes identity.
SPNEGO over HTTP security—Extracts Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) Kerberos token from the HTTP header.
JWT token in the HTTP header—Extracts username from the JWT token in the HTTP header
This policy contains the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:
oracle/wss_http_token_service_template. For more information, see "oracle/wss_http_token_client_template".
oracle/http_saml20_token_bearer_service_template. For more information, see "oracle/http_saml20_token_bearer_service_template".
oracle/http_oam_token_service_template. For more information, see "oracle/http_oam_token_service_template". (Provides OAM protection on the server-side only.)
oracle/http_spnego_token_service_template. For more information, see "oracle/http_spnego_token_service_template".
oracle/http_jwt_token_service_template. For more information, see "oracle/http_jwt_token_service_template".
This policy enforces one of the following authentication policies, based on the token sent by the client:
HTTP Basic over SSL—Extracts username and password credentials from the HTTP header.
SAML 2.0 Bearer token in the HTTP header over SSL—Extracts SAML 2.0 Bearer assertion in the HTTP header.
HTTP OAM security (non-SSL)—Verifies that the OAM agent has authenticated user and establishes identity. (Provides non-SSL OAM protection on the server-side only.)
SPNEGO over HTTP security (non-SSL)—Extracts SPNEGO Kerberos token information from the HTTP header. (Provides non-SSL protection only.)
JWT token in the HTTP header over SSL—Extracts username from the JWT token in the HTTP header
This policy contains the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:
oracle/wss_http_token_over_ssl_service_template. For more information, see "oracle/wss_http_token_over_ssl_service_template".
oracle/http_saml20_token_over_ssl_bearer_service_policy. For more information about configuring this policy, see "oracle/http_saml20_token_bearer_service_template".
oracle/http_oam_token_service_template. (Provides non-SSL OAM protection on the server-side only.) For more information, see "oracle/http_oam_token_service_template".
oracle/http_spnego_token_service_template. (Provides non-SSL protection only.) For more information, see "oracle/http_spnego_token_service_template".
oracle/http_jwt_token_over_ssl_service_template. For more information, see "oracle/http_jwt_token_over_ssl_service_template".
The wss_http_token_client_policy includes credentials in the HTTP header for outbound client requests. This policy can be enforced on any HTTP-based client.
Note:
Currently only HTTP basic authentication is supported.
This policy contains the following policy assertion: oracle/wss_http_token_client_template. See "oracle/wss_http_token_client_template" for more information about the assertion.
For more information about configuring the policy, see "oracle/wss_http_token_client_policy".
The wss_http_token_service_policy uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. This policy can be enforced on any HTTP-based endpoint.
Note:
Currently only HTTP basic authentication is supported.
This policy contains the following policy assertion: oracle/wss_http_token_service_template. See "oracle/wss_http_token_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_http_token_service_policy".
This policy includes credentials in the WS-Security UsernameToken SOAP header for all outbound SOAP request messages. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.
Notes:
Digest passwords are not supported in this release.
This policy is not secure; it transmits the password in clear text. You should use this policy in low security situations only, or when you know that the transport is protected using some other mechanism. Alternatively, consider using the SSL version of this policy, oracle/wss_username_token_over_ssl_client_policy.
This policy contains the following policy assertion: oracle/wss_username_token_client_template. See "oracle/wss_username_token_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_username_token_client_policy".
This policy uses the credentials in the WS-Security UsernameToken SOAP header to authenticate users. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.
Note:
Digest passwords are not supported in this release.
This policy is not secure; it transmits the password in clear text. You should use this policy in low security situations only, or when you know that the transport is protected using some other mechanism. Alternatively, consider using the SSL version of this policy, oracle/wss_username_token_over_ssl_service_policy.
This policy contains the following policy assertion: oracle/wss_username_token_service_template. See "oracle/wss_username_token_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_username_token_service_policy".
This policy includes SAML tokens in outbound SOAP request messages. The policy can be enforced on any SOAP-based client.
This policy contains the following policy assertion: oracle/wss10_saml_token_client_template. See "oracle/wss10_saml_token_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_client_policy".
This policy authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. This policy can be enforced on any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/wss10_saml_token_service_template. See "oracle/wss10_saml_token_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_service_policy".
This policy includes SAML tokens in outbound SOAP request messages. The policy can be enforced on any SOAP-based client.
This policy contains the following policy assertion: oracle/wss10_saml20_token_client_template. See "oracle/wss10_saml20_token_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml20_token_client_policy".
This policy authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. This policy can be enforced on any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/wss10_saml20_token_service_template. See "oracle/wss10_saml20_token_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml20_token_service_policy".
This policy includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with MIT and Active Directory KDCs. This policy can be enforced on any SOAP-based client.
This policy contains the following policy assertion: oracle/wss11_kerberos_token_client_template. See "oracle/wss11_kerberos_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_kerberos_token_client_policy".
This policy is enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services. This policy is compatible with MIT and Active Directory KDCs. This policy can be attached to any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/wss11_kerberos_token_service_template. See "oracle/wss11_kerberos_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_service_policy".
Table B-3 summarizes the policies that enforce message protection only, and indicates whether the policy is enforced at the transport layer or SOAP header.
Table B-3 Message-Protection Only Policies
Client Policy | Service Policy | Authentication Transport | Authentication SOAP | Message Protection Transport | Message Protection SOAP |
---|---|---|---|---|---|
No |
No |
No |
Yes |
||
No |
No |
No |
Yes |
This policy provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
This policy uses the WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_message_protection_client_template. See "oracle/wss10_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
The messages are protected using WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_message_protection_service_template. See "oracle/wss10_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_message_protection_service_policy".
This policy provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss11_message_protection_client_template. See "oracle/wss11_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss11_message_protection_service_template. See "oracle/wss11_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_message_protection_service_policy".
Table B-4 summarizes the policies that enforce both message protection and authentication but do not conform to the WS-Security 1.0 or 1.1 standard. The table indicates whether the policy is enforced at the transport layer or SOAP header.
Table B-4 Message Protection and Authentication Policies
This policy includes credentials in the HTTP header for outbound client requests and authenticates users against the Oracle Platform Security Services identity store. This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based client.
Note:
Currently only HTTP basic authentication is supported.
This policy contains the following policy assertion: oracle/wss_http_token_over_ssl_client_template. See "oracle/wss_http_token_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_http_token_over_ssl_client_policy".
This policy extracts the credentials in the HTTP header and authenticates users against the Oracle Platform Security Services identity store. This policy verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based endpoint.
Notes:
This policy functions similarly to oracle/http_basic_auth_over_ssl_service_policy. The only difference is that oracle/wss_http_token_over_ssl_service_policy
enables the include-timestamp
attribute in the require-tls
element to prevent replay attacks, which is not applicable to RESTful services. For more information about the require-tls
element, see "orasp:require-tls".
Currently only HTTP basic authentication is supported.
This policy contains the following policy assertion: oracle/wss_http_token_over_ssl_service_template. See "oracle/wss_http_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_http_token_over_ssl_service_policy".
This policy enforces one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:
SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.
This policy contains the following assertions, as an OR group—meaning either type of policy can be enforced by a client:
oracle/wss_saml_token_service_template. See "oracle/wss10_saml_token_service_template" for more information about the assertion.
oracle/wss_username_token_service_template. See "oracle/wss_username_token_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_service_policy" and "oracle/wss_username_token_service_policy".
This policy enforces message protection (integrity and confidentiality) and one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:
SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.
This policy contains the following assertions, as an OR group—meaning either type of policy can be enforced by a client:
oracle/wss_saml_token_over_ssl_service_template. See "oracle/wss_saml_token_over_ssl_service_template" for more information about the assertion.
oracle/wss_username_token_over_ssl_service_template. See "oracle/wss_username_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml_token_over_ssl_service_policy" and "oracle/wss_username_token_over_ssl_service_policy".
This policy includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is created automatically. This policy can be attached to any SOAP-based client.
This policy contains the following policy assertion: oracle/wss_saml_token_bearer_client_template. See "oracle/wss_saml_token_bearer_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml_token_bearer_client_policy".
This policy includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is created automatically. The policy also verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based client.
This policy contains the following policy assertion: oracle/wss_saml_token_bearer_over_ssl_client_template. See "oracle/wss_saml_token_bearer_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml_token_bearer_over_ssl_client_policy".
This policy authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/wss_saml_token_bearer_over_ssl_service_template. See "oracle/wss_saml_token_bearer_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml_token_bearer_over_ssl_service_policy".
This policy includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is created automatically. The policy also verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based client.
This policy contains the following policy assertion: oracle/wss_saml20_token_bearer_over_ssl_client_template. See "oracle/wss_saml20_token_bearer_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml20_token_bearer_over_ssl_client_policy".
This policy authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/wss_saml20_token_bearer_over_ssl_service_template. See "oracle/wss_saml20_token_bearer_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml20_token_bearer_over_ssl_service_policy".
This policy includes SAML tokens in outbound WS-Security SOAP headers using the sender-vouches confirmation type. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based client.
This policy contains the following policy assertion: oracle/wss_saml_token_over_ssl_client_template. See "oracle/wss_saml_token_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml_token_over_ssl_client_policy".
This policy enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type. The SAML token is mapped to a user in the configured identity store. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/wss_saml_token_over_ssl_service_template. See "oracle/wss_saml_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml_token_over_ssl_service_policy".
This policy includes SAML tokens in outbound WS-Security SOAP headers using the sender-vouches confirmation type. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based client.
This policy contains the following policy assertion: oracle/wss_saml20_token_over_ssl_client_template. See "oracle/wss_saml20_token_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml20_token_over_ssl_client_policy".
This policy enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type. The SAML token is mapped to a user in the configured identity store. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/wss_saml20_token_over_ssl_service_template. See "oracle/wss_saml20_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml20_token_over_ssl_service_policy".
This policy includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages. The policy verifies that the transport protocol provides SSL message protection. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.
Note:
Digest passwords are not supported in this release.
This policy contains the following policy assertion: oracle/wss_username_token_over_ssl_client_template. See "oracle/wss_username_token_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_username_token_over_ssl_client_policy".
This policy uses the credentials in the WS-Security UsernameToken SOAP header to authenticate users against the Oracle Platform Security Services configured identity store. The policy verifies that the transport protocol provides SSL message protection. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.
Note:
Digest passwords are not supported in this release.
This policy contains the following policy assertion: oracle/wss_username_token_over_ssl_service_template. See "oracle/wss_username_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_username_token_over_ssl_service_policy".
This policy provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. A SAML token, included in the SOAP message, is used in SAML-based authentication with holder of key confirmation.
The policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml_hok_with_message_protection_client_template. See "oracle/wss10_saml_hok_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_hok_token_with_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) and SAML holder of key based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml_hok_with_message_protection_service_template. See "oracle/wss10_saml_hok_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_hok_token_with_message_protection_service_policy".
This policy provides message-level integrity and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. A SAML token, included in the SOAP message, is used in SAML-based authentication with sender vouches confirmation.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies and SHA-1 hashing algorithm for message integrity. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_client_template. See "oracle/wss10_saml_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_with_message_integrity_client_policy".
This policy enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. It extracts the SAML token from the WS-Security binary security token or the current Java Authentication and Authorization Service (JAAS) subject, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies and SHA-1 hashing algorithm for message integrity. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_service_template. See "oracle/wss10_saml_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_with_message_integrity_service_policy".
This policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_client_template. See "oracle/wss10_saml_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_with_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_service_template. See "oracle/wss10_saml_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_with_message_protection_service_policy".
This policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml20_token_with_message_protection_client_template. See "oracle/wss10_saml20_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml20_token_with_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml20_token_with_message_protection_service_template. See "oracle/wss10_saml20_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml20_token_with_message_protection_service_policy".
This policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
The policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites"
This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_client_template. See "oracle/wss10_saml_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_with_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
The policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites"
This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_service_template. See "oracle/wss10_saml_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_with_message_protection_service_policy".
This policy provides message protection (integrity and confidentiality) and identity propagation for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Credentials (only username) are included in outbound SOAP request messages via a WS-Security UsernameToken header. No password is included.This policy can be enforced on any SOAP-based client.
Message protection is provided using WS-Security's Basic128 suite of asymmetric key technologies. Specifically RSA key mechanisms for confidentiality, SHA-1 hashing algorithm for integrity and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_username_token_with_message_protection_client_template. See "oracle/wss10_username_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_username_id_propagation_with_msg_protection_client_policy".
This policy enforces message level protection (i.e., integrity and confidentiality) and identity propagation for inbound SOAP requests using mechanisms described in WS-Security 1.0. This policy can be enforced on any SOAP-based endpoint.
Message protection is provided using WS-Security 1.0's Basic128 suite of asymmetric key technologies. Specifically RSA key mechanisms for confidentiality, SHA-1 hashing algorithm for integrity and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_username_id_propagation_with_msg_protection_service_template. See "oracle/wss10_username_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_username_id_propagation_with_msg_protection_service_policy".
This policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.
Note:
Digest passwords are not supported in this release.
To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_username_token_with_message_protection_client_template. See "oracle/wss10_username_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_username_token_with_message_protection_client_policy".
This policy enforces message protection (message integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.
Note:
Digest passwords are not supported in this release.
To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_username_token_with_message_protection_service_template. See "oracle/wss10_username_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_username_token_with_message_protection_service_policy".
This policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.
Note:
Digest passwords are not supported in this release.
To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.
This policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_username_token_with_message_protection_client_template. See "oracle/wss10_username_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_username_token_with_message_protection_client_policy".
This policy enforces message protection (message integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.
Note:
Digest passwords are not supported in this release.
To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.
This policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_username_token_with_message_protection_service_template. See "oracle/wss10_username_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_username_token_with_message_protection_service_policy".
This policy provides message protection (integrity and confidentiality) and certificate credential population for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_x509_token_with_message_protection_client_template. See "oracle/wss10_x509_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_x509_token_with_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_x509_token_with_message_protection_service_template. See "oracle/wss10_x509_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_x509_token_with_message_protection_service_policy".
This policy includes a Kerberos token in the WS-Security header, and uses Kerberos keys to guarantee message integrity and confidentiality, in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with MIT and Active Directory KDCs. This policy can be enforced on any SOAP-based client.
This policy contains the following policy assertion: oracle/wss11_kerberos_token_with_message_protection_client_template. See "oracle/wss11_kerberos_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_kerberos_token_with_message_protection_client_policy".
This policy is enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with MIT and Active Directory KDCs. This policy can be attached to any SOAP-based endpoint.
This policy extracts the Kerberos token from the SOAP header and authenticates the user, and it enforces message integrity and confidentiality using Kerberos keys. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.
This policy contains the following policy assertion: oracle/wss11_kerberos_token_with_message_protection_service_template. See "oracle/wss11_kerberos_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_kerberos_token_with_message_protection_service_policy".
This policy includes a Kerberos token in the WS-Security header, and uses Kerberos keys to guarantee message integrity and confidentiality, in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with Active Directory KDCs. This policy can be enforced on any SOAP-based client.
This policy uses the WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss11_kerberos_token_with_message_protection_client_template. See "oracle/wss11_kerberos_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy".
This policy is enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with Active Directory KDCs. This policy can be attached to any SOAP-based endpoint.
This policy uses the WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy extracts the Kerberos token from the SOAP header and authenticates the user, and it enforces message integrity and confidentiality using Kerberos keys. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.
This policy contains the following policy assertion: oracle/wss11_kerberos_token_with_message_protection_service_template. See "oracle/wss11_kerberos_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_kerberos_token_with_message_protection_basic128_service_policy".
This policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss11_saml_token_with_message_protection_client_template. See "oracle/wss11_saml_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_saml_token_with_message_protection_client_policy".
This policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss11_saml20_token_with_message_protection_client_template. See "oracle/wss11_saml20_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_saml20_token_with_message_protection_client_policy".
This policy performs dynamic identity switching by propagating a different identity than the one based on the authenticated subject. This policy can be attached to any SOAP-based client.
This policy enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests using mechanisms described in WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss11_saml_token_with_message_protection_client_template. See "oracle/wss11_saml_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss11_saml_token_with_message_protection_service_template. See "oracle/wss11_saml_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_saml_token_with_message_protection_service_policy".
This policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss11_saml20_token_with_message_protection_service_template. See "oracle/wss11_saml20_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_saml20_token_with_message_protection_service_policy".
This policy enforces message protection (integrity and confidentiality) and one of the following authentication policies, based on whether the client uses a SAML, username, or HTTP token, respectively:
SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
Username token authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
SAML-based authentication using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header. Verifies that the transport protocol provides SSL message protection.
Username token authentication using the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the configured identity store. Verifies that the transport protocol provides SSL message protection.
HTTP authentication using credentials extracted from the HTTP header to authenticate users against the configured identity store. Verifies that the transport protocol is HTTPS.
JWT token authentication using the username extracted from the JWT token in the HTTP header. Verifies that the transport protocol is HTTPS.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following assertions, as an OR group—meaning either type of policy can be enforced by a client:
oracle/wss11_saml_token_with_message_protection_service_template. For more information about the assertion, see "oracle/wss11_saml_token_with_message_protection_service_template".
oracle/wss11_username_token_with_message_protection_service_template. For more information about the assertion, see "oracle/wss11_username_token_with_message_protection_service_template".
oracle/wss_saml_token_bearer_over_ssl_service_template. For more information about the assertion, see "oracle/wss_saml_token_bearer_over_ssl_service_template".
oracle/wss_username_token_over_ssl_service_template. For more information about the assertion, see "oracle/wss_username_token_over_ssl_service_template".
oracle/wss_http_token_over_ssl_service_template. For more information about the assertion, see "oracle/wss_http_token_over_ssl_service_template".
oracle/http_jwt_token_over_ssl_service_template. For more information, see "oracle/http_jwt_token_over_ssl_service_template".
For information about configuring the policy, see the following:
This policy provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.
Note:
Digest passwords are not supported in this release.
The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature.
To prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss11_username_token_with_message_protection_client_template. See "oracle/wss11_username_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_username_token_with_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. Both plain text and digest mechanisms are supported.
Note:
Digest passwords are not supported in this release.
The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature. This policy can be attached to any SOAP-based endpoint.
To prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.
Note:
Digest passwords are not supported in this release.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss11_username_token_with_message_protection_service_template. See "oracle/wss11_username_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_username_token_with_message_protection_service_policy".
This policy provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss11_x509_token_with_message_protection_client_template. See "oracle/wss11_x509_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_x509_token_with_message_protection_client_policy".
This policy enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss11_x509_token_with_message_protection_service_template. See "oracle/wss11_x509_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_x509_token_with_message_protection_service_policy".
Table B-5 summarizes the WS-Trust policies.
Client Policy | Service Policy | Authentication Transport | Authentication SOAP | Message Protection Transport | Message Protection SOAP |
---|---|---|---|---|---|
No |
No |
No |
No |
||
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy |
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy |
Yes |
No |
Yes |
No |
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy |
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy |
No |
Yes |
No |
Yes |
oracle/wss11_sts_issued_saml_with_message_protection_client_policy |
No |
Yes |
No |
Yes |
This policy provides STS configuration information that is used to invoke an STS for token exchange.
This policy contains the following policy assertion: oracle/sts_trust_config_template. See "oracle/sts_trust_config_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/sts_trust_config_service_policy".
This policy provides STS configuration information that is used to invoke an STS for token exchange.
This policy contains the following policy assertion: oracle/sts_trust_config_template. See "oracle/sts_trust_config_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/sts_trust_config_client_policy".
This policy inserts the SAML Bearer assertion issued by a trusted STS (Security Token Service). Messages are protected using SSL.
This policy contains the following policy assertion: oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template. See "oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy".
This policy authenticates a SAML Bearer assertion issued by a trusted STS (Security Token Service). Messages are protected using SSL.
This policy contains the following policy assertion: oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template. See "oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy".
This policy inserts a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using proof key material provided by STS.
This policy contains the following policy assertion: oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template. See "oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy".
This policy inserts a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using proof key material provided by STS.
This policy contains the following policy assertion: oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template. See "oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy".
This policy inserts a SAML sender vouches assertion issued by a trusted STS (Security Token Service). Messages are protected using the client's private key.
This policy contains the following policy assertion: oracle/wss11_sts_issued_saml_with_message_protection_client_template. See "oracle/wss11_sts_issued_saml_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_sts_issued_saml_with_message_protection_client_policy".
Table B-6 summarizes the security policies that enforce authorization, and indicates whether the policy is enforced at the transport layer or SOAP header.
Note:
The authorization polices can follow any authentication policy where the Subject is established.
You cannot attach both a permitall and denyall policy to the same Web service.
Table B-6 Authorization Only Policies
Client Policy | Authentication Transport | Authentication SOAP | Message Protection Transport | Message Protection SOAP |
---|---|---|---|---|
No |
Yes |
No |
No |
|
No |
Yes |
No |
No |
|
No |
Yes |
No |
No |
|
No |
Yes |
No |
No |
|
No |
Yes |
No |
No |
|
No |
Yes |
No |
No |
|
No |
Yes |
No |
No |
This policy provides simple role-based authorization for the request based on the authenticated Subject at the SOAP binding level. This policy denies all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/binding_authorization_template. See "oracle/binding_authorization_template" for more information about the assertion.
For information about configuring the policy, see "oracle/binding_authorization_denyall_policy".
This policy provides a simple role-based authorization for the request based on the authenticated Subject at the SOAP binding level. This policy permits all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/binding_authorization_template. See "oracle/binding_authorization_template" for more information about the assertion.
For information about configuring the policy, see "oracle/binding_authorization_permitall_policy".
This policy provides simple permission-based authorization for the request based on the authenticated Subject at the SOAP binding level. This policy ensures that the Subject has permission to perform the operation. This policy should follow an authentication policy where the Subject is established and can be attached to any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/binding_permission_authorization_template. See "oracle/component_permission_authorization_template" for more information about the assertion.
For information about configuring the policy, see "oracle/binding_permission_authorization_policy".
This policy provides simple role-based authorization for the request based on the authenticated Subject at the SOAP binding level. This policy denies all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SCA-based endpoint.
This policy contains the following policy assertion: oracle/component_authorization_template. See "oracle/component_authorization_template" for more information about the assertion.
For information about configuring the policy, see "oracle/component_authorization_denyall_policy".
This policy provides a simple role-based authorization policy based on the authenticated Subject. This policy permits all users with any roles. It should follow an authentication policy where the Subject is established and can be attached to any SCA-based endpoint.
This policy contains the following policy assertion: oracle/component_authorization_template. See "oracle/component_authorization_template" for more information about the assertion.
For information about configuring the policy, see "oracle/binding_authorization_permitall_policy".
This policy provides a permission-based authorization policy based on the authenticated Subject. This policy ensures that the Subject has permission to perform the operation. This policy should follow an authentication policy where the Subject is established and can be attached to any SCA-based endpoint.
This policy contains the following policy assertion: oracle/component_permission_authorization_template. See "oracle/component_permission_authorization_template" for more information about the assertion.
For information about configuring the policy, see "oracle/component_permission_authorization_policy".
This policy is a special case of role based authorization policy. This policy will let requests in only if authenticated token is SAML Sender-Vouches or if the user is in a particular role 'trustedEnterpriseRole' that established the user as a trusted entity or if the request is coming from within the private network. This policy can be attached to any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/binding_authorization_template. See "oracle/binding_authorization_template" for more information about the assertion.
For information about configuring this policy, see "oracle/whitelist_authorization_policy".
This section describes the predefined WS-Addressing policies.
Note:
WS-Addressing policies are not supported for WebLogic Web services.
This policy causes the platform to check inbound messages for the presence of WS-Addressing headers conforming to the W3C 2005 Final WS-Addressing Policy standard. In addition, it causes the platform to include a WS-Addressing header in outbound SOAP messages. For information about configuring the policy, see "oracle/wsaddr_policy".
This section describes the predefined MTOM policies.
Note:
MTOM policies are not supported for WebLogic Web services.
This Message Transmission Optimization Mechanism (MTOM) policy rejects inbound messages that are not in MTOM format and verifies that outbound messages are in MTOM format. MTOM refers to specifications http://www.w3.org/TR/2005/REC-soap12-mtom-20050125
and http://www.w3.org/Submission/2006/SUBM-soap11mtom10-20060405
for SOAP 1.2 and SOAP 1.1 bindings, respectively. For information about configuring the policy, see "oracle/wsmtom_policy".
This section describes the predefined Reliable Messaging policies.
Note:
Reliable messaging policies are not supported for WebLogic Web services.
This policy provides support for version 1.0 of the Web Services Reliable Messaging protocol. This policy can be attached to any SOAP-based client or endpoint. Full support for this feature may require additional programming. For information about configuring the policy, see "oracle/wsrm10_policy".
This policy provides support for version 1.1 of the Web Services Reliable Messaging protocol. This policy can be attached to any SOAP-based client or endpoint. Full support for this feature may require additional programming. For information about configuring the policy, see "oracle/wsrm11_policy".
This section describes the predefined Management policies.
Note:
Management policies are not supported for WebLogic Web services.
This policy causes the request, response, and fault messages to be sent to a message log. For information about configuring the policy, see "oracle/log_policy".
This policy contains the following policy assertion: oracle/security_log_template. See "oracle/security_log_template" for more information about the assertion.
This section describes the predefined no behavior policies. These policies provide the ability to effectively disable a policy attached globally in a policy set. Details for using these policies are provided in "Disabling a Globally Attached Policy". There are no configuration properties available for these policies.
All of these policies use the same no behavior assertion.
Note:
The no behavior policies are not supported for WebLogic Web services.
This policy, when directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached authentication policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the authentication assertion, those assertions are disabled also.
This policy, when directly attached to a client endpoint or globally attached at a lower scope, effectively disables a globally attached authentication policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the authentication assertion, those assertions are disabled also.
This policy, when directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached message protection policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the message protection assertion, those assertions are disabled also.
This policy, when directly attached to a client endpoint or globally attached at a lower scope, effectively disables a globally attached message protection policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the message protection assertion, those assertions are disabled also.
This policy, when directly attached to a service endpoint or globally attached at a lower scope, effectively disables a globally attached authorization policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the authorization assertion, those assertions are disabled also.
This policy, when directly attached to a SOA component or globally attached at a lower scope, effectively disables a globally attached authorization policy at a higher scope. If the globally attached policy contains any other assertions, in addition to the authorization assertion, those assertions are disabled also.
This policy, when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached WS Addressing policy at a higher scope.
This policy, when directly attached to an endpoint or globally attached at a lower scope, effectively disables a globally attached WS MTOM policy at a higher scope.