A Custom Assertions Schema Reference

You can use the XML schema in this appendix as a reference when creating a WS-Policy file that contains custom web service assertions.

This appendix includes the following topics:

• Element Hierarchy of Custom Assertions in a WS-Policy File

• Custom Assertion Elements

A.1 Element Hierarchy of Custom Assertions in a WS-Policy File

The following figure illustrates the element hierarchy of the custom assertions in a WS-Policy file:

Figure A-1 Element Hierarchy of Custom Assertion

Description of "Figure A-1 Element Hierarchy of Custom Assertion"

A.2 Custom Assertion Elements

A custom assertion contains the following elements:

• wsp:Policy

• orasp:Assertion

• orawsp:bindings

• orawsp:Implementation

• orawsp:Config

• orawsp:PropertySet

• orawsp:Property

• orawsp:Description

• orawsp:Value

A.2.1 wsp:Policy

Follow the table and the example given below to know about the <wsp:Policy> element and its attributes.

The <wsp:Policy> element groups nested policy assertions.

Attributes

The following table summarizes the Oracle extensions to the WS-Policy attributes.

Table A-1 Oracle Extensions to WS-Policy Attributes

Attribute	Description
attachTo	Policy subjects to which the policy can be attached. Valid values include:binding.client, binding.server, binding.any.
category	Category of the policy. Valid values include: security and management.
description	Description of the policy.
status	Status of the policy reference. Valid values include: enabled and disabled.

Example

The following example illustrates the <wsp:Policy> element:

<wsp:Policy xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" 
  orawsp:status="enabled"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-util
ity-1.0.xsd" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  orawsp:category="security" 
  orawsp:attachTo="binding.server" 
  wsu:Id="ip_assertion_policy" 
  xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" 
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
  wsp:Name="oracle/ip_assertion_policy">

A.2.2 orasp:Assertion

Follow the tables and the example given below to know about the attributes of the <orasp:Assertion> element.

The <orasp:Assertion> element is the main element of the custom assertion.

Attributes

The following table summarizes the attributes of the <orasp:Assertion> element.

Table A-2 Attributes of <orasp:Assertion> Element

Attribute	Description
Optional	Flag that specifies whether the assertion is optional or required.
Silent	Flag that specifies whether the assertion is advertised. If set to true, the assertion is not advertised.
Enforced	Flag that specifies whether the assertion is currently enabled.
name	Name of the assertion.
description	Description of the assertion.
category	Category to which the assertion applies. Valid values include: security/authentication, security/msg-protection, security/authorization, security/logging and management.
provides	Web service endpoint type to which this policy can be attached. Note: This attribute is required for RESTful endpoints. For example, to specify RESTful web services: orawsp:provides="{http://schemas.oracle.com/ws/2006/01/policy}REST_HTTP"

Example

The following example illustrates the <orasp:Assertion> element:

<orasp:ipAssertion orawsp:Silent="true" orawsp:Enforced="true"
orawsp:name="WSSecurity IpAssertion Validator"
orawsp:category="security/authentication"
orawsp:provides="{http://schemas.oracle.com/ws/2006/01/policy}REST_HTTP">
...
</orasp:ipAssertion>

Update the provides Attribute to Secure SOAP Web Service Endpoints

To secure a SOAP Web Service endpoints, you must add the intents to the provides attribute in the custom policy file.

Table A-3 Intents for provides Attribute to Secure the SOAP Web Service Endpoints

Intent	Type	Description
serverAuthentication	Security Policy	When specified, an SCA runtime ensures that the server is authenticated by the client.
clientAuthentication	Security Policy	When specified, an SCA runtime ensures that the client is authenticated by the server.
authentication	Security Policy	This is a profile intent that requires only clientAuthentication. It is required for backwards compatibility.
mutualAuthentication	Security Policy	This is a profile intent that includes the serverAuthentication and the clientAuthentication intents.
confidentiality	Security Policy	This intent indicates that the message contents are accessible only to those authorized to have access (For example, the service client and the service provider). When the confidentiality intent is specified, an SCA runtime ensures that only authorized entities can view the contents of a message.
integrity	Security Policy	This intent is used to ensure that the messages are not tampered with and altered between the sender and the receiver. This is done generally by digitally signing the message or other methods. When the integrity intent is specified, an SCA runtime ensures that the message contents are not altered. This intent can have the following qualifiers: transport – the transport qualifier specifies that the qualified intent is realized at the transport or transfer layer of the communication protocol, such as HTTPS. When a serverAuthentication, clientAuthentication, confidentiality, or integrity intent is qualified by message, an SCA runtime delegates serverAuthentication, clientAuthentication, confidentiality and integrity, respectively to the message layer of the communication protocol. message – the message qualifier specifies that the qualified intent is realized at the message level of the communication protocol. When a serverAuthentication, clientAuthentication, confidentiality, or integrity intent is qualified by message, an SCA runtime delegates serverAuthentication, clientAuthentication, confidentiality and integrity respectively to the message layer of the communication protocol.
atLeastOnce	Reliability Policy Intents	The binding implementation ensures that a message that is successfully sent by a service consumer or service implementation is delivered to the destination (service implementation or service consumer). The message can be delivered multiple times to the service implementation or service consumer. When atLeastOnce intent is specified, an SCA Runtime ensures deliverering of message to the destination service implementation or service consumer.
atMostOnce	Reliability Policy Intents	The binding implementation ensures that a message that is successfully sent by a service consumer or service implementation is not delivered more than once to the service implementation or service consumer. The binding implementation does not ensure that the message is delivered to the service implementation or service consumer. When atMostOnce intent is specified, an SCA Runtime should not deliver duplicates of a message to the service implementation.
ordered	Reliability Policy Intents	The binding implementation ensures that the messages sent by a service client via a single service reference are delivered to the target service implementation in the order in which they were sent by the service client. This intent does not ensure the messages that are sent by a service client are delivered to the service implementation and the ordering of messages sent via different service references by a single service client, even if the same service implementation is targeted by each of the service references. When ordered intent is specified, an SCA Runtime deliver messages sent by a single source to a single destination service implementation in the order that the messages were sent by that source. For service interfaces that involve messages being sent back from the service implementation to the service client (For example, a service with a callback interface), for the ordered intent, the binding implementation ensures that the messages sent by the service implementation over a given wire are delivered to the service client in the order in which they were sent by the service implementation. This intent does not ensure that messages that are sent by the service implementation are delivered to the service consumer.
exactlyOnce	Reliability Policy Intents	The binding implementation ensures that a message sent by a service consumer is delivered to the service implementation and it also ensures that the message is not delivered more than once to the service implementation. When the exactlyOnce intent is specified, an SCA Runtime delivers a message to the destination service implementation and not deliver duplicates of a message to the service implementation.

Example

The following example illustrates the intents added to the provides attribute to secure a SOAP web service endpoint:

<orasp:ipAssertion orawsp:Silent="true" orawsp:Enforced="true"
    orawsp:name="WSSecurity IpAssertion Validator"
    orawsp:category="security/authentication"
    orawsp:provides="{http://schemas.oracle.com/ws/2006/01/policy}SOAP_HTTP,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}serverAuthentication,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}clientAuthentication,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}authentication,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}mutualAuthentication,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}confidentiality,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}integrity,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}atLeastOnce,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}atMostOnce,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}ordered,
    {http://docs.oasis-open.org/ns/opencsa/sca/200912}exactlyOnce">
</orasp:ipAssertion>

A.2.3 orawsp:bindings

Follow the example given below to know about the <oraswsp:bindings> element.

The <oraswsp:bindings> element defines the bindings in the custom assertion.

Example

The following example illustrates the <oraswsp:bindings> element:

<orawsp:bindings>
...
</orawsp:bindings>

A.2.4 orawsp:Implementation

Follow the example given below to know about the <oraswsp:Implementation> element.

The <oraswsp:Implementation> element defines the custom assertion implementation class.

Example

The following example illustrates the <oraswsp:Implementation> element:

<orawsp:Implementation>sampleassertion.IpAssertionExecutor</orawsp
:Implementation>

A.2.5 orawsp:Config

Follow the table and the example given below to know about the <oraswsp:Config> element and its attributes.

The <oraswsp:Config> element defines the configuration for the custom assertion.

Attributes

The following table summarizes the attributes of the <orawsp:Config> element.

Table A-4 Attributes of <orawsp:Config> Element

Attribute	Description
name	Name of the configuration.
type	Category to which the configuration applies.
configType	Configuration type. Valid values include: declarative and programmatic. declarative—Use deployment descriptors and configuration files to describe authentication and authorization requirements. programmatic—Embed security enforcement within the application.

Example

The following example illustrates the <oraswsp:Config> element:

<orawsp:Config orawsp:name="ipassertion" orawsp:configType="declarative">

A.2.6 orawsp:PropertySet

Follow the table and example given below to know about the <oraswsp:PropertySet> element and its attributes.

The <oraswsp:PropertySet> element groups nested properties.

Attributes

The following table summarizes the attributes of the <orawsp:PropertySet> element.

Table A-5 Attributes of <orawsp:PropertySet> Element

Attribute	Description
name	Name of the property set.

Example

The following example illustrates the <oraswsp:PropertySet> element:

<orawsp:PropertySet orawsp:name="valid_ips">

A.2.7 orawsp:Property

Follow the table and example given below to know about the <oraswsp:Property> element and its attributes.

The <oraswsp:Property> element defines a single property.

Attributes

The following table summarizes the attributes of the <orawsp:Property> element.

Table A-6 Attributes of <orawsp:Property> Element

Attribute	Description
name	Name of the property.
type	Type of the property. For example, string.
contentType	Specifies whether the property is required and can be overridden. Valid values include: constant—Property is a constant value and cannot be overridden. required—Property is required and can be overridden. optional—Property is optional and can be overridden. For information about overriding policies, see "Overriding Policy Configuration Overrides" in Administering Web Services.

Example

The following example illustrates the <orawsp:Property> element:

<orawsp:Property orawsp:name="valid_ips" orawsp:type="string"
 orawsp:contentType="constant">

A.2.8 orawsp:Description

Follow the example given below to know about the <oraswsp:Description> element.

The <oraswsp:Description> element provides a description of the property.

Example

The following example illustrates the <oraswsp:Description> element:

<orawsp:Description>Valid IP Values</orawsp:Description>

A.2.9 orawsp:Value

Follow the example given below to know about the <oraswsp:Value> element.

The <oraswsp:Value> element provides a list of valid values for the property.

Example

The following example illustrates the <oraswsp:Value> element:

<orawsp:Value>140.87.6.143,10.178.93.107</orawsp:Value>