Security Policies

When a composite needs to invoke an edge application web service, an appropriate security policy should be attached to the reference web service of the composite.

• Invoking edge application XAI Service

When calling an edge application XAI service, the security policy to attach to the reference web service of the composite is oracle/wss_http_token_client_policy.

• Invoking edge application Inbound Web Service (IWS)

When calling an edge application Inbound Web Service (IWS), the security policy to attach to the reference web service of the composite is dependent on the annotation specified in the IWS wsdl.

• If a security policy annotation is specified in the edge application’s Inbound Web Service, use the policy specified.

Example 1: The policy defined in the IWS wsdl is UsernameToken, meaning that oracle/wss_username_token_client_policy should be attached to the composite’s reference web service.

Example 2: The policy defined in the IWS wsdl is Https-BasicAuth xml meaning that HTTP Basic Authentication over SSL Including Timestamp is required. The oracle/wss_http_token_over_ssl_client_policy should be attached to the composite’s reference web service.

• If no security policy annotation is specified in the edge application’s Inbound Web Service and the edge application is using Framework 4.3.0.2.0, a default security policy oracle/wss_http_token_over_ssl_client_policy will be used by the edge application’s Inbound Web Service. The default policy can be changed in the edge application’s Feature Configuration Menu.

Refer to the specific edge application implementation guide for more information.

• If the edge application is using Framework 4.2.0, a security policy annotation has to be specified in the edge application’s Inbound Web Service. In this version of framework, there is no default security policy specified. oracle/wss_http_token_client_policy has to be specified in the edge application’s Inbound Web Service security policy annotation.