8 Web Services Development, Security, and Administration

This chapter describes issues associated with Web services development, security, and administration, including Oracle Web Services Manager.

It includes the following topics:

8.1 Reviewing Policy Configuration Override Values After Detaching a Client Policy

If you attach a policy to a client, override policy configuration values, and subsequently detach the policy, the policy configuration override values are not deleted. When attaching new policies to this client, ensure that you review the policy configuration override values and update them appropriately.

8.2 Removing Post-deployment Customizations

When the connections.xml file is changed after deployment using the AdfConnection MBean, the complete connection is saved as a customization. This means that changes to the connection in a redeployed application are overwritten by the customization.

When you use Fusion Middleware Control to make changes to an application's connections.xml file after deployment, a new connections.xml file is created as a customization and stored in the MDS repository. This customization persists for the life of the application. Therefore, if you redeploy the application, the customized connections.xml file continues to be applied as a customization on the application.

To allow the redeployed application's connections.xml file to be applied without the prior customization (from Fusion Middleware Control), you must explicitly remove the connections.xml customizations from the MDS repository.

For example, if you deploy an application with a Web services data control, then use Fusion Middleware Control to attach the 'username token client policy', and subsequently detach the policy. Then, you return to JDeveloper to edit the application and attach the 'http token client policy', and redeploy the application. When you view the application using Fusion Middleware Control, you see that it is not using the 'http token client policy' that you attached. That is because it is using the customized connections.xml file that you previously created using Fusion Middleware Control.

If you remove the connections.xml customizations from the MDS repository, the application will use the its own connections.xml file.

8.3 Reviewing Localization Limitations

The following information is supported in English only in this release of Oracle Enterprise Manager:

  • All fields in the policy and assertion template except the orawsp:displayName field.

  • If using the ?orawsdl browser address, the orawsp:description field.

  • In the System MBean browser, the Description field in the oracle.wsm.upgrade Mbean.

8.4 Fusion Middleware Control Does Not List Policies When Two Servers Are SSL Enabled (Two-way SSL)

When a Managed Server is Two-way enabled SSL (for example, a SOA server hosting Oracle WSM Policy Manager over Two-way SSL) and the Administration Server hosting Fusion Middleware Control is correctly configured to access the Two-way SSL-enabled Managed Server, Fusion Middleware Control still does not list the Oracle WSM policies.

8.5 Web Service Test Page Cannot Test Input Arguments Bound to SOAP Headers

For Web services that have any input arguments bound to SOAP headers, the Test Web Service page in the Fusion Middleware Control console cannot show the message. Therefore, such operations cannot be tested with the Test Web Service page.

For example, if the input for a multi-part WSDL is viewed through Fusion Middleware Control, and one input argument is bound to a SOAP header, the composite instance fails with the following exception because the other part of the message was missing in the input:

ORAMED-01203:[No Part]No part exist with name "request1" in source message

To resolve such an issue, select XML View for Input Arguments and edit the payload to pass input for both parts of the WSDL.

8.6 Possible Limitation When Using Custom Exactly-one Policies

In some cases, there can be a limitation when using custom Exactly-one policies. For a set of assertions within the exactly-one policy, if a request message satisfies the first assertion, then the first assertion gets executed and a response is sent accordingly. However, this may not be the desired behavior in some cases because the request may be intended for the subsequent assertions.

For example, you may have a client policy that has Timestamp=ON and a service exactly-one policy that has a wss11 username token with message protection assertions: the first has Timestamp=OFF; the second has Timestamp=ON. Therefore, the first assertion in the service exactly-one policy is not expecting the Timestamp in the request, yet the second assertion does expect it. In this case, the first assertion gets executed and the response is sent with no Timestamp. However, the client-side processing then fails because it expects the Timestamp that was sent in the request.

This limitation can exist with any cases where a client policy expects a greater number of elements to be signed and a service policy does not.

8.7 Security Policies Do Not Work on Subscriber Mediator Component

Component Authorization denyall policy does not work at subscriber mediator component. Authorization policy works for other normal mediator component cases.

8.8 Manual Step Required to Uptake Changes in Predefined Policy

The oracle/wss11_saml_or_username_token_with_message_protection_service_policy now includes five assertions as described in "Configuring a Policy With an OR Group" in Security and Administrator's Guide for Web Services:

  • wss_saml_token_bearer_over_ssl (new)

  • wss_username_token_over_ssl (new)

  • wss_http_token_over_ssl (new)

  • wss11_saml_token_with_message_protection (existing)

  • wss11_username_token_with_message_protection (existing)

To take advantage of these additional assertions, you need to upgrade the Oracle WSM policies in the repository using the resetWSMPolicyRepository(false) WLST command. Note that executing this command will upgrade all of the predefined policies to the latest version provided in For additional information, see "Upgrading the Oracle WSM Policies in the Repository" in Security and Administrator's Guide for Web Services.

8.9 Usage Tracking Not Enabled for WebLogic Web Service Client

In this release, usage tracking and analysis is not provided for WebLogic Java EE Web service clients.

8.10 Invalid Authorization Combination Validates Successfully

Although you can attach multiple authorization policies to the same Web service, you should not attach both a permitall and denyall policy. If you do so, however, the combination validates successfully in this release.


Do not attach a permitall and denyall policy to the same Web service. For more information about authorization policies, see "Authorization Policies and Configuration Steps" in Security and Administrator's Guide for Web Services.

8.11 Additional Quotes in Fusion Middleware Control for Run-time Constraint Input from WLST

When you specify a run-time constraint using WLST, as described in "Specifying Run-time Constraints in Policy Sets" in Security and Administrator's Guide for Web Services, you must specify the constraint using quotes, for example setPolicySetConstraint('HTTPHeader("VIRTUAL_HOST_TYPE", "external")'). If you then use Fusion Middleware Control to view and edit the policy set constraint, the constraint is shown with the quotes in the Constraint Name and Constraint Value fields. You need to remove the quotes in these fields.

8.12 Cross-Domain Policy Manager Configuration is Not Supported in this Release

In this release, configuration to a Policy Manager in a remote domain is not supported.

8.13 WSDL Source Does Not Display In Certain Browsers

Certain web browsers, such as Apple's Safari, attempt to interpret the WSDL source when you click a WSDL link, and therefore will display a blank page.


In order to view the WSDL source with such browsers, you need to use the browser's View Source command on the blank page. You can right-click on the blank page and click View Page Source to view the content.

8.14 The Same Policy Type Cannot Be Used in OR Groups

When defining multiple policy alternatives (OR groups), assertions of the same policy type cannot be used in separate branches of OR groups. For example, the following combination of message protection assertions will fail because they have the same authentication token type:

  • oracle/wss10_saml20_token_with_message_protection_service_template

  • oracle/wss10_saml_token_with_message_protection_service_template

Attempting to add these assertions to an OR group, will result in the following error:

cause = { "Invalid policy alternatives found inside XOR policy operator. It contains two or more message protection assertions which have same authentication token type." },

action = {"Ensure that you have only one message protection assertion with same authentication token type in the XOR policy" }) String INVALID_EXACTLYONE_WITH_TWO_MSG_PROT_POLICY_ALTERNATIVES = "WSM-00380";

For more information, see "Defining Multiple Policy Alternatives (OR Groups)" in Understanding Oracle Web Services Manager.

8.15 Location of Audit Logs for System Components

The audit logs for system components, such as OWSM-PM-EJB, are located in the following directory:


For more information, see "Configuring and Managing Auditing" in the Securing Applications with Oracle Platform Security Services.