PK yIoa, mimetypeapplication/epub+zipPK yI OEBPS/policies.htm
This appendix summarizes the predefined policies and contains the following sections:
Oracle has been instrumental in contributing to emerging standards, in particular the specifications hosted by the OASIS Web Services Secure Exchange technical committee. Oracle has contributed to the OASIS WS-SX technical committee several practical security scenarios, a subset of which are implemented in the predefined policies.
Note: For information about WebLogic Web service policies, see Securing WebLogic Web Services for Oracle WebLogic Server. |
The following sections describe the security policies.
The following authentication only policies are provided for SOAP and RESTful Web services.
Table B-1 summarizes the security policies that enforce authentication only and can be attached to both SOAP and RESTful Web services.
Table B-1 Authentication Only Policies—SOAP and RESTful Web Services
Table B-2 summarizes the security policies that enforce authentication only for SOAP Web services and indicates whether the token is inserted at the transport layer or SOAP header.
Table B-2 Authentication Only Policies—SOAP Web Services Only
Client Policy | Service Policy | Authentication Transport | Authentication SOAP |
---|---|---|---|
oracle/wss_http_token_client_policy |
oracle/wss_http_token_service_policy |
Yes |
No |
oracle/wss_username_token_client_policy |
oracle/wss_username_token_service_policy |
No |
Yes |
oracle/wss10_saml_token_client_policy |
oracle/wss10_saml_token_service_policy |
No |
Yes |
oracle/wss10_saml20_token_client_policy |
oracle/wss10_saml20_token_service_policy |
No |
Yes |
oracle/wss11_kerberos_token_client_policy |
oracle/wss11_kerberos_token_service_policy |
No |
Yes |
This policy includes credentials in the HTTP header for outbound client requests. This policy verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based client endpoint.
Note: Currently only HTTP basic authentication is supported. |
This policy contains the following policy assertion: oracle/wss_http_token_over_ssl_service_template. See "oracle/wss_http_token_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/http_basic_auth_over_ssl_service_policy".
This policy uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. This policy verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based endpoint.
Note: This policy functions similarly to oracle/wss_http_token_over_ssl_service_policy. The only difference is that Currently only HTTP basic authentication is supported. |
This policy contains the following policy assertion: oracle/wss_http_token_over_ssl_service_template. See "oracle/wss_http_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/http_basic_auth_over_ssl_service_policy".
This policy includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declaratively through the policy. You can specify the audience restriction condition for this policy.
This policy can be enforced on any HTTP-based client endpoint.
This policy contains the following policy assertion: oracle/http_jwt_token_client_template. See "oracle/http_jwt_token_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/http_jwt_token_client_policy".
This policy authenticates users using the username provided in the JWT token in the HTTP header.
This policy can be applied to any HTTP-based endpoint.
This policy contains the following policy assertion: oracle/http_jwt_token_service_template. See "oracle/http_jwt_token_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/http_jwt_token_client_policy".
This policy includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declaratively through the policy. You can specify the audience restriction condition for this policy.
This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused.
This policy can be enforced on any HTTP-based client endpoint.
This policy contains the following policy assertion: oracle/http_jwt_token_over_ssl_client_template. See "oracle/http_jwt_token_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/http_jwt_token_client_policy".
This policy authenticates users using the username provided in the JWT token in the HTTP header. This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused.
This policy can be applied to any HTTP-based endpoint.
This policy contains the following policy assertion: oracle/http_jwt_token_over_ssl_service_template. See "oracle/http_jwt_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/http_jwt_token_client_policy".
This policy verifies that the OAM agent has authenticated the user and has established an identity. This policy can be enforced on any HTTP-based endpoint.
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion: oracle/http_oam_token_service_template. See "oracle/http_oam_token_service_template" for more information about the assertion.
For more information about configuring the policy, see "oracle/http_oam_token_service_policy".
This policy includes a SAML Bearer V2.0 token in the HTTP header. The SAML token with confirmation method Bearer is created automatically. This policy can be enforced on any HTTP-based client endpoint.
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion: oracle/http_saml20_token_bearer_client_template. See "oracle/http_saml20_token_bearer_client_template" for more information about the assertion.
For more information about configuring the policy, see "oracle/http_saml20_token_bearer_client_policy".
This policy authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header. The credentials in the SAML token are authenticated against a SAML v2.0 login module. This policy can be enforced on any HTTP-based endpoint.
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion: oracle/http_saml20_token_bearer_service_template. See "oracle/http_saml20_token_bearer_service_template" for more information about the assertion.
For more information about configuring the policy, see "oracle/http_saml20_bearer_token_service_policy".
This policy includes a SAML Bearer v2.0 token in the HTTP header. The SAML token with confirmation method Bearer is created automatically. The policy verifies that the transport protocol provides SSL message protection. This policy can be attached to any HTTP-based client endpoint.
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion: oracle/http_saml20_token_bearer_client_template. See "oracle/http_saml20_token_bearer_client_template" for more information about the assertion.
For more information about configuring the policy, see "oracle/http_saml20_bearer_token_over_ssl_client_policy".
This policy authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header. The credentials in the SAML token are authenticated against a SAML v2.0 login module. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any HTTP-based endpoint.
This policy contains the following assertion template, which defines the settings and configuration properties for the policy assertion: oracle/http_saml20_token_bearer_service_template. See "oracle/http_saml20_token_bearer_service_template" for more information about the assertion.
For more information about configuring the policy, see "oracle/http_saml20_bearer_token_over_ssl_service_policy".
This policy enforces one of the following authentication policies, based on the token sent by the client:
HTTP Basic—Extracts username and password credentials from the HTTP header.
SAML 2.0 Bearer token in the HTTP header—Extracts SAML 2.0 Bearer assertion in the HTTP header.
HTTP OAM security—Verifies that the OAM agent has authenticated user and establishes identity.
SPNEGO over HTTP security—Extracts Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) Kerberos token from the HTTP header.
JWT token in the HTTP header—Extracts username from the JWT token in the HTTP header
This policy contains the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:
oracle/wss_http_token_service_template. For more information, see "oracle/wss_http_token_client_template".
oracle/http_saml20_token_bearer_service_template. For more information, see "oracle/http_saml20_token_bearer_service_template".
oracle/http_oam_token_service_template. For more information, see "oracle/http_oam_token_service_template". (Provides OAM protection on the server-side only.)
oracle/http_spnego_token_service_template. For more information, see "oracle/http_spnego_token_service_template".
oracle/http_jwt_token_service_template. For more information, see "oracle/http_jwt_token_service_template".
This policy enforces one of the following authentication policies, based on the token sent by the client:
HTTP Basic over SSL—Extracts username and password credentials from the HTTP header.
SAML 2.0 Bearer token in the HTTP header over SSL—Extracts SAML 2.0 Bearer assertion in the HTTP header.
HTTP OAM security (non-SSL)—Verifies that the OAM agent has authenticated user and establishes identity. (Provides non-SSL OAM protection on the server-side only.)
SPNEGO over HTTP security (non-SSL)—Extracts SPNEGO Kerberos token information from the HTTP header. (Provides non-SSL protection only.)
JWT token in the HTTP header over SSL—Extracts username from the JWT token in the HTTP header
This policy contains the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:
oracle/wss_http_token_over_ssl_service_template. For more information, see "oracle/wss_http_token_over_ssl_service_template".
oracle/http_saml20_token_over_ssl_bearer_service_policy. For more information about configuring this policy, see "oracle/http_saml20_token_bearer_service_template".
oracle/http_oam_token_service_template. (Provides non-SSL OAM protection on the server-side only.) For more information, see "oracle/http_oam_token_service_template".
oracle/http_spnego_token_service_template. (Provides non-SSL protection only.) For more information, see "oracle/http_spnego_token_service_template".
oracle/http_jwt_token_over_ssl_service_template. For more information, see "oracle/http_jwt_token_over_ssl_service_template".
The wss_http_token_client_policy includes credentials in the HTTP header for outbound client requests. This policy can be enforced on any HTTP-based client.
Note: Currently only HTTP basic authentication is supported. |
This policy contains the following policy assertion: oracle/wss_http_token_client_template. See "oracle/wss_http_token_client_template" for more information about the assertion.
For more information about configuring the policy, see "oracle/wss_http_token_client_policy".
The wss_http_token_service_policy uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. This policy can be enforced on any HTTP-based endpoint.
Note: Currently only HTTP basic authentication is supported. |
This policy contains the following policy assertion: oracle/wss_http_token_service_template. See "oracle/wss_http_token_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_http_token_service_policy".
This policy includes credentials in the WS-Security UsernameToken SOAP header for all outbound SOAP request messages. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.
Notes: Digest passwords are not supported in this release. This policy is not secure; it transmits the password in clear text. You should use this policy in low security situations only, or when you know that the transport is protected using some other mechanism. Alternatively, consider using the SSL version of this policy, oracle/wss_username_token_over_ssl_client_policy. |
This policy contains the following policy assertion: oracle/wss_username_token_client_template. See "oracle/wss_username_token_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_username_token_client_policy".
This policy uses the credentials in the WS-Security UsernameToken SOAP header to authenticate users. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.
Note: Digest passwords are not supported in this release. This policy is not secure; it transmits the password in clear text. You should use this policy in low security situations only, or when you know that the transport is protected using some other mechanism. Alternatively, consider using the SSL version of this policy, oracle/wss_username_token_over_ssl_service_policy. |
This policy contains the following policy assertion: oracle/wss_username_token_service_template. See "oracle/wss_username_token_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_username_token_service_policy".
This policy includes SAML tokens in outbound SOAP request messages. The policy can be enforced on any SOAP-based client.
This policy contains the following policy assertion: oracle/wss10_saml_token_client_template. See "oracle/wss10_saml_token_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_client_policy".
This policy authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. This policy can be enforced on any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/wss10_saml_token_service_template. See "oracle/wss10_saml_token_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_service_policy".
This policy includes SAML tokens in outbound SOAP request messages. The policy can be enforced on any SOAP-based client.
This policy contains the following policy assertion: oracle/wss10_saml20_token_client_template. See "oracle/wss10_saml20_token_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml20_token_client_policy".
This policy authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. This policy can be enforced on any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/wss10_saml20_token_service_template. See "oracle/wss10_saml20_token_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml20_token_service_policy".
This policy includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy is compatible with MIT and Active Directory KDCs. This policy can be enforced on any SOAP-based client.
This policy contains the following policy assertion: oracle/wss11_kerberos_token_client_template. See "oracle/wss11_kerberos_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_kerberos_token_client_policy".
This policy is enforced in accordance with the WS-Security Kerberos Token Profile v1.1 standard. This policy extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services. This policy is compatible with MIT and Active Directory KDCs. This policy can be attached to any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/wss11_kerberos_token_service_template. See "oracle/wss11_kerberos_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_service_policy".
Table B-3 summarizes the policies that enforce message protection only, and indicates whether the policy is enforced at the transport layer or SOAP header.
Table B-3 Message-Protection Only Policies
Client Policy | Service Policy | Authentication Transport | Authentication SOAP | Message Protection Transport | Message Protection SOAP |
---|---|---|---|---|---|
oracle/wss10_message_protection_client_policy |
oracle/wss10_message_protection_service_policy |
No |
No |
No |
Yes |
oracle/wss11_message_protection_client_policy |
oracle/wss11_message_protection_service_policy |
No |
No |
No |
Yes |
This policy provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
This policy uses the WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_message_protection_client_template. See "oracle/wss10_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
The messages are protected using WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_message_protection_service_template. See "oracle/wss10_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_message_protection_service_policy".
This policy provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss11_message_protection_client_template. See "oracle/wss11_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
This policy uses the symmetric key technology for signing and encryption, and the WS-Security's Basic 128 suite of asymmetric key technology for endorsing signatures. For more information about the available asymmetric algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss11_message_protection_service_template. See "oracle/wss11_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss11_message_protection_service_policy".
Table B-4 summarizes the policies that enforce both message protection and authentication but do not conform to the WS-Security 1.0 or 1.1 standard. The table indicates whether the policy is enforced at the transport layer or SOAP header.
Table B-4 Message Protection and Authentication Policies
This policy includes credentials in the HTTP header for outbound client requests and authenticates users against the Oracle Platform Security Services identity store. This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP -based client.
Note: Currently only HTTP basic authentication is supported. |
This policy contains the following policy assertion: oracle/wss_http_token_over_ssl_client_template. See "oracle/wss_http_token_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_http_token_over_ssl_client_policy".
This policy extracts the credentials in the HTTP header and authenticates users against the Oracle Platform Security Services identity store. This policy verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be enforced on any HTTP-based endpoint.
Notes: This policy functions similarly to oracle/http_basic_auth_over_ssl_service_policy. The only difference is that Currently only HTTP basic authentication is supported. |
This policy contains the following policy assertion: oracle/wss_http_token_over_ssl_service_template. See "oracle/wss_http_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_http_token_over_ssl_service_policy".
This policy enforces one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:
SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.
This policy contains the following assertions, as an OR group—meaning either type of policy can be enforced by a client:
oracle/wss_saml_token_service_template. See "oracle/wss10_saml_token_service_template" for more information about the assertion.
oracle/wss_username_token_service_template. See "oracle/wss_username_token_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_service_policy" and "oracle/wss_username_token_service_policy".
This policy enforces message protection (integrity and confidentiality) and one of the following authentication policies, based on whether the client uses a SAML or username token, respectively:
SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
WS-Security UsernameToken SOAP header to authenticate users against the configured identity store.
This policy contains the following assertions, as an OR group—meaning either type of policy can be enforced by a client:
oracle/wss_saml_token_over_ssl_service_template. See "oracle/wss_saml_token_over_ssl_service_template" for more information about the assertion.
oracle/wss_username_token_over_ssl_service_template. See "oracle/wss_username_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml_token_over_ssl_service_policy" and "oracle/wss_username_token_over_ssl_service_policy".
This policy includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is created automatically. This policy can be attached to any SOAP-based client.
This policy contains the following policy assertion: oracle/wss_saml_token_bearer_client_template. See "oracle/wss_saml_token_bearer_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml_token_bearer_client_policy".
This policy includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is created automatically. The policy also verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based client.
This policy contains the following policy assertion: oracle/wss_saml_token_bearer_over_ssl_client_template. See "oracle/wss_saml_token_bearer_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml_token_bearer_over_ssl_client_policy".
This policy authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/wss_saml_token_bearer_over_ssl_service_template. See "oracle/wss_saml_token_bearer_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml_token_bearer_over_ssl_service_policy".
This policy includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is created automatically. The policy also verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based client.
This policy contains the following policy assertion: oracle/wss_saml20_token_bearer_over_ssl_client_template. See "oracle/wss_saml20_token_bearer_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml20_token_bearer_over_ssl_client_policy".
This policy authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header. The credentials in the SAML token are authenticated against a SAML login module. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/wss_saml20_token_bearer_over_ssl_service_template. See "oracle/wss_saml20_token_bearer_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml20_token_bearer_over_ssl_service_policy".
This policy includes SAML tokens in outbound WS-Security SOAP headers using the sender-vouches confirmation type. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based client.
This policy contains the following policy assertion: oracle/wss_saml_token_over_ssl_client_template. See "oracle/wss_saml_token_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml_token_over_ssl_client_policy".
This policy enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type. The SAML token is mapped to a user in the configured identity store. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/wss_saml_token_over_ssl_service_template. See "oracle/wss_saml_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml_token_over_ssl_service_policy".
This policy includes SAML tokens in outbound WS-Security SOAP headers using the sender-vouches confirmation type. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based client.
This policy contains the following policy assertion: oracle/wss_saml20_token_over_ssl_client_template. See "oracle/wss_saml20_token_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml20_token_over_ssl_client_policy".
This policy enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type. The SAML token is mapped to a user in the configured identity store. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any SOAP-based endpoint.
This policy contains the following policy assertion: oracle/wss_saml20_token_over_ssl_service_template. See "oracle/wss_saml20_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_saml20_token_over_ssl_service_policy".
This policy includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages. The policy verifies that the transport protocol provides SSL message protection. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based client.
Note: Digest passwords are not supported in this release. |
This policy contains the following policy assertion: oracle/wss_username_token_over_ssl_client_template. See "oracle/wss_username_token_over_ssl_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_username_token_over_ssl_client_policy".
This policy uses the credentials in the WS-Security UsernameToken SOAP header to authenticate users against the Oracle Platform Security Services configured identity store. The policy verifies that the transport protocol provides SSL message protection. Both plain text and digest mechanisms are supported. This policy can be attached to any SOAP-based endpoint.
Note: Digest passwords are not supported in this release. |
This policy contains the following policy assertion: oracle/wss_username_token_over_ssl_service_template. See "oracle/wss_username_token_over_ssl_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss_username_token_over_ssl_service_policy".
This policy provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. A SAML token, included in the SOAP message, is used in SAML-based authentication with holder of key confirmation.
The policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml_hok_with_message_protection_client_template. See "oracle/wss10_saml_hok_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_hok_token_with_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) and SAML holder of key based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml_hok_with_message_protection_service_template. See "oracle/wss10_saml_hok_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_hok_token_with_message_protection_service_policy".
This policy provides message-level integrity and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. A SAML token, included in the SOAP message, is used in SAML-based authentication with sender vouches confirmation.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies and SHA-1 hashing algorithm for message integrity. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_client_template. See "oracle/wss10_saml_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_with_message_integrity_client_policy".
This policy enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. It extracts the SAML token from the WS-Security binary security token or the current Java Authentication and Authorization Service (JAAS) subject, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies and SHA-1 hashing algorithm for message integrity. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_service_template. See "oracle/wss10_saml_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_with_message_integrity_service_policy".
This policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_client_template. See "oracle/wss10_saml_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_with_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_service_template. See "oracle/wss10_saml_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_with_message_protection_service_policy".
This policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml20_token_with_message_protection_client_template. See "oracle/wss10_saml20_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml20_token_with_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
This policy uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_saml20_token_with_message_protection_service_template. See "oracle/wss10_saml20_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml20_token_with_message_protection_service_policy".
This policy provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
The policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites"
This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_client_template. See "oracle/wss10_saml_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_with_message_protection_client_policy".
This policy enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. The Web service consumer includes a SAML token in the SOAP header and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
The policy uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. For more information about the available algorithms for message protection, see "Supported Algorithm Suites"
This policy contains the following policy assertion: oracle/wss10_saml_token_with_message_protection_service_template. See "oracle/wss10_saml_token_with_message_protection_service_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_saml_token_with_message_protection_service_policy".
This policy provides message protection (integrity and confidentiality) and identity propagation for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Credentials (only username) are included in outbound SOAP request messages via a WS-Security UsernameToken header. No password is included.This policy can be enforced on any SOAP-based client.
Message protection is provided using WS-Security's Basic128 suite of asymmetric key technologies. Specifically RSA key mechanisms for confidentiality, SHA-1 hashing algorithm for integrity and AES-128 bit encryption. For more information about the available algorithms for message protection, see "Supported Algorithm Suites".
This policy contains the following policy assertion: oracle/wss10_username_token_with_message_protection_client_template. See "oracle/wss10_username_token_with_message_protection_client_template" for more information about the assertion.
For information about configuring the policy, see "oracle/wss10_username_id_propagation_with_msg_protection_client_policy".
This policy enforces message level protection (i.e., integrity and confidentiality) and identity propagation for inbound SOAP requests using mechanisms described in WS-Security 1.0. This policy can be enforced on any SOAP-based endpoint.
Message protection is provided using WS-Security 1.0's Basic128 suite of asymmetric key technologies. Specifically RSA key mechanisms for confidentiality, SHA-1 hashing algorithm for integrity and AES-128 bit encryption. For more information about the available algorithms for message protection, see