Table of Contents Previous Next PDF


SALT WS-SecurityPolicy Assertion 1.2 Reference
SALT WS-SecurityPolicy Assertion 1.2 Reference
The following sections provide SALT WSSP1.2 reference information:
Overview
SALT WSSP 1.2 Policy File Examples
SALT WSSP 1.2 Policy Templates
SALT WSSP1.2 Assertion Description
Overview
SALT implements part of WS-Security protocol version 1.1 for inbound services. Authentication with UsernameToken and X509v3Token are supported. To describe how the authentication is carried out, WS-SecurityPolicy is used in WSDL definition.
In order to communicate with Oracle WebLogic Release 10 via WS-Security 1.1, SALT implements the counterparts of WS-SecurityPolicy (WSSP) 1.2 supported by WebLogic 10. But the supported WSSP 1.2 assertions are limited as follows:
Protection Assertions
Integrity Assertion
<sp:SignedParts> Assertion (Limited support)
Token Assertions:
<sp:UsernameToken> Assertion (Limited support)
<sp:X509Token> Assertion (Limited support)
Security Binding Assertions:
AsysmmetricBinding Assertion (Limited support)
<sp:TransportBinding > Assertion (Limited support)
Supporting Tokens Assertions:
SupportingTokens Assertion (Limited support)
For more details about limitations of WS-SecurityPolicy 1.2 assertions, please refer to Oracle SALT WSSP1.2 Assertion Description.
For more information about WSSP 1.2 assertions supported by WebLogic 10, please refer to “Oracle Web Services Security Policy Assertion Reference in the Oracle WebLogic Web Services Documentation.
In this document, XML namespace prefix “sp” stands for namespace URI “http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512”.
SALT WSSP 1.2 Policy File Examples
WSSP 1.2 Policy File Sample
Wssp1.2-Wss1.0-X509.xml File Sample
WSSP 1.2 Policy File Sample
Listing E‑1 Username token authentication with WSSP 1.2 assertions.
Listing E‑1 WSSP 1.2 Policy File Sample
<!-Binding Policy -->
<wsp:Policy
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512">
  <sp:TransportBinding>
    <wsp:Policy>
      <sp:TransportToken>
        <wsp:Policy>
          <sp:HttpToken/>
        </wsp:Policy>
      </sp:TransportToken>
      <sp:AlgorithmSuite>
        <wsp:Policy>
          <sp:Basic256/>
        </wsp:Policy>
      </sp:AlgorithmSuite>
      <sp:Layout>
        <wsp:Policy>
          <sp:Lax/>
        </wsp:Policy>
      </sp:Layout>
      <sp:IncludeTimestamp/>
    </wsp:Policy>
  </sp:TransportBinding>
  <sp:SupportingTokens>
    <wsp:Policy>
      <sp:UsernameToken
          sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
        <wsp:Policy>
          <sp:WssUsernameToken10/>
        </wsp:Policy>
      </sp:UsernameToken>
    </wsp:Policy>
  </sp:SupportingTokens>
</wsp:Policy>
 
Wssp1.2-Wss1.0-X509.xml File Sample
Listing E‑2  
<?xml version="1.0"?>
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512"
>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts>
<sp:Body/>
</sp:SignedPart>
</wsp:Policy>
 
SALT WSSP 1.2 Policy Templates
SALT provides a number of WS-SecurityPolicy 1.2 template files you can use for most typical Web Service applications. These policy files are located in directory TUXDIR/udataobj/salt/policy.
 
SALT WSSP 1.2 Policy Template Files
Policy File
Description
wssp1.2-UsernameToken-plain-auth.xml
Username token with plain text password is sent in the request for authentication.
wssp1.2-x509v3-auth.xml
X509 V3 binary token (certificate) is sent in the request for authentication. The request is optionally signed with some message parts in the requests.
wssp1.2-signbody.xml
The entire SOAP body is signed.
These template files can be referenced directly in the WSDF files with location value format:
salt:<template_file_name>
For example, if you want to configure signbody, you can specify the followings in your WSDF file:
<Policy location=”salt:wssp1.2-signbody.xml” />
SALT WSSP1.2 Assertion Description
Below are all SALT supported WSSP 1.2 assertions and limitations for each one. Customers should obey the limitation when writing their own customized WSSP 1.2 policy files. SALT does not check any customized WSSP 1.2 policy file against the limitation rules. If something claimed in the customized WSSP 1.2 policy file cannot be supported by SALT, web service client program may result run time errors.
WS-SecurityPolicy 1.2 assertions not listed below are definitely not supported by SALT.
<sp:SignedParts>
Specifies the parts of a SOAP message to be digitally signed. SALT only supports the entire SOAP body to be signed.
Limitations
Child element <sp:Body> is supported for configuring the entire SOAP body to be signed.
Child element <sp:Header> is not yet supported.
No nesting WSSP 1.2 assertion for this assertion.
<sp:UsernameToken>
Specifies username token to be included in the SOAP message. SALT only supports username token with clear text password defined in WS-Security Username Token Profile 1.0. <UsernameToken> assertion must be used as a nested assertion of Security Binding Assertions and Supporting Token Assertions.
Limitations
Supported Nesting Assertions
<sp:WssUsernameToken10>
Not yet supported Nesting Assertions
<sp:WssUsernameToken11>
<sp:NoPassword>
<sp:HashPassword>
<sp:X509Token>
Specifies a binary security token carrying an X509 token to be included in the SOAP message. <X509Token> assertion must be used as a nested assertion of Security Binding Assertions and Supporting Token Assertions.
Limitations
Supported Nesting Assertions
<sp:WssX509V3Token10>
<sp:WssX509V3Token11>
Non-Supported Nesting Assertions
<sp:WssX509Pkcs7Token10>
<sp:WssX509Pkcs7Token11>
<sp:WssX509PkiPathV1Token10>
<sp:WssX509PkiPathV1Token11>
<sp:WssX509V1Token10>
<sp:WssX509V1Token11>
<sp:AlgorithmSuite>
Specifies the algorithm suite to be used for performing cryptographic operations with security tokens. <AlgorithmSuite> Assertion must be used as a nested assertion of Security Binding Assertions.
Limitations
Supported Nesting Algorithm Suite
<sp:Basic256>
Non-Supported Nesting Algorithm Suites
All the other Algorithm Suite listed in the WS-Security Policy 1.2 specification.
<sp:Layout>
Specifies the layout rules when adding items to the security header. <Layout> Assertion must be used as a nested assertion of Security Binding Assertions.
Limitations
Supported Nesting Layout rules
<sp:Lax>
Non-Supported Nesting Layout rules
<sp:Strict>
<sp:LaxTimestampFirst>
<sp:LaxTimestampLast>
<sp:TransportBinding >
Specifies the message protection and security correlation is provided using the means of the transport. The <TransportBinding> token is used mainly for carrying isolated Username Token in the SOAP message.
Limitations
Supported Nesting Assertions
<sp:TransportToken>
<sp:AlgorithmSuite>
<sp:Layout>
<sp:IncludeTimestamp>
Nesting Assertion <sp:TransportToken> only supports <sp:HttpToken>
Listing E‑3 shows a SALT supported TransportToken Assertion example.
Listing E‑3 Supported TransportToken Assertions
  <sp:TransportBinding>
    <wsp:Policy>
      <sp:TransportToken>
        <wsp:Policy>
          <sp:HttpToken />
        </wsp:Policy>
      </sp:TransportToken>
      <sp:Algorithm>
        <wsp:Policy>
          <sp:Basic256>
        </wsp:Policy>
      </sp:Algorithm>
    </wsp:Policy>
  </sp:TransportBinding>
 
<sp:AsymmetricBinding>
Specifies the message protection is provided by means defined in WS-Security SOAP Message Security, and the request and response message can use distinct keys for encryption and signature, because of their different lifecycles. The <AsymmetricBinding> Assertion is used mainly for carrying X.509 binary security token in the SOAP request messages for inbound calls.
Limitations
Supported Nesting Assertions
<sp:InitiatorToken>
<sp:RecipientToken>
<sp:AlgorithmSuite>
<sp:Layout>
<sp:IncludeTimestamp>
<sp:ProtectTokens>
<sp:OnlySignEntireHeadersAndBody>
Non-supported Nesting Assertions
<sp:InitiatorSignatureToken>
<sp:InitiatorEncryptToken>
<sp:RecipientSignatureToken>
<sp:RecipientEncryptToken>
<sp:EncryptBeforeSigning>
<sp:EncryptSignature>
<sp:InitiatorToken> must be associated with <sp:X509Token> and the Token inclusion type must be “AlwaysToRecipient“
<sp:RecipientToken> must be associated with <sp:X509Token> and the Token inclusion type must be “Never”
Listing E‑4 shows a SALT supported AsymmetricBinding assertion example. This assertion indicates the X.509 V3 binary token that defined in WS-Security X.509 Token Profile 1.1 specification is used for digital signature for the SOAP request messages and the X.509 token is always included in the SOAP message security header:
Listing E‑4 Supported AsymmetricBinding Assertion
  <sp:AsymmetricBinding>
    <wsp:Policy>
      <sp:InitiatorToken>
        <wsp:Policy>
          <sp:X509Token               sp:IncludeToken=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient”>
            <wsp:Policy>
              <sp:WssX509V3Token11 />
            </wsp:Policy>
          </sp:X509Token>
        </wsp:Policy>
      </sp:InitiatorToken>
      <sp:RecipientToken>
        <wsp:Policy>
          <sp:X509Token               sp:IncludeToken=”http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/Never”>
            <wsp:Policy>
              <sp:WssX509V3Token11 />
            </wsp:Policy>
          </sp:X509Token>
        </wsp:Policy>
      </sp:RecipientToken>
      <sp:Algorithm>
        <wsp:Policy>
          <sp:Basic256>
        </wsp:Policy>
      </sp:Algorithm>
      <sp:Layout>
        <wsp:Policy>
          <sp:Lax>
        </wsp:Policy>
      </sp:Layout>
      <sp:IncludeTimestamp />
    </wsp:Policy>
  </sp:AsymmetricBinding>
 
<sp:SupportingToken>
Specifies security tokens that are included in the security header and may optionally include additional message parts to sign and/or encrypt. For SALT, <SupportingToken> Assertion is used mainly to include Username Token in the security header when <sp:AsymmetricBinding> Assertion is used.
Limitations
Supported Nesting Assertions
<sp:UsernameToken>
<sp:X509Token>
Not-non Supported Nesting Assertions
<sp:SignedParts>
<sp:SignedElements
<sp:EncryptedParts>
<sp:EncryptedElements>
All supported token assertions must be defined with Token inclusion type “AlwaysToRecipient”.
Listing E‑5 shows a SALT supported SupportingToken assertion example. This assertion indicates the Username token is always included in SOAP request messages:
Listing E‑5 Supported SupportingToken Assertion
  <sp:SupportingTokens>
    <wsp:Policy>
      <sp:UsernameToken           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
        <wsp:Policy>
          <sp:WssUsernameToken10/>
        </wsp:Policy>
      </sp:UsernameToken>
    </wsp:Policy>
  </sp:SupportingTokens>
 
 

Copyright © 1994, 2017, Oracle and/or its affiliates. All rights reserved.