5 Web Service Security

The web application servers that implement the Web Service-Security (WS-S) standards secure Documaker Web Services (DWS). Both WebLogic and WebSphere provide standard WS-S implementations that allow for the definition of security policies including access and authorization for web service consumption. Ensure DWS is configured with appropriate policies and roles to prevent unauthorized consumption of web services. The best practice for securing web services for Documaker in environments requiring higher levels of security is to implement the following measures with WebLogic Server:

• Message-level security
• Transport-level security
• Access control security (only required if corporate security policy dictates that access to web services should be restricted)

You can attach two types of policies to WebLogic Web Services: Oracle Web Services Manager policy and WebLogic Web Service policy.

WebLogic Server includes pre-packaged WS-Policy files which are static and you cannot change them. Predefined policies are available in the following categories:

• Reliable Messaging
• SOAP Message Transmission Optimization Mechanism (MTOM)
• Two sets of pre-packaged security policy files available for configuring message-level security. One set of security policy files conforms to the OASIS WS-SecurityPolicy 1.2 specification, and the other set of security policy files conforms to a proprietary Oracle Web services security policy schema.

Oracle WSM includes a set of predefined policies in the following categories:

• Security
• WS-Addressing
• MTOM
• Reliable Messaging
• Management

Note:

The Administration Console allows you to associate as many WS‐Policy files as you want to a Web service and its operations, even if the policy assertions in the files contradict each other. It is up to you to ensure that multiple associated WS‐Policy files work together. If any contradictions do exist, WebLogic Server will return a runtime error when a client application invokes the Web service.