A Web Service Security Standards

This appendix summarizes the security standards for Oracle Infrastructure Web Services. For a complete list of standards supported for Oracle Infrastructure Web services, see "Supported Standards" in Developing Oracle Infrastructure Web Services.

Security standards are implemented in non-XML frameworks at the transport level, and in XML frameworks at the application level.

Table A-1 lists the standards that are key to providing secure and manageable environments at both the transport and application levels.

For a complete list and descriptions of standards for WebLogic Web services, see "Features and Standards Supported by WebLogic Web Services" in Understanding WebLogic Web Services for Oracle WebLogic Server.

Table A-1 Web Services Standards and Specification URLs

Standard Description and Specification URL

Web Services Interoperability Organization—Basic Security Profile

Oracle considers interoperability of Web services platforms to be more important than providing support for all possible edge cases of the Web services specifications. Oracle complies with the following specification from the Web Services Interoperability Organization and considers it to be the baseline for Web services interoperability.

For more information, see:

Transport Layer Security—SSL

Secure Sockets Layer (SSL), also known as Transport Layer Security (TLS), is the most widely used transport-layer data-communication protocol.

For more information, see:

XML Encryption (Confidentiality)

The XML encryption specification describes a process for encrypting data and representing the result in XML.

For more information, see:

XML Signature (Integrity, Authenticity)

The XML Signature specification describes signature processing rules and syntax. XML Signature binds the sender's identity (or "signing entity") to an XML document. The document is signed using the sender's private key; the signature is verified using the sender's public key.

For more information, see:


Web Services Security (WS-Security) specifies SOAP security extensions that provide confidentiality using XML Encryption and data integrity using XML Signature. WS-Security also includes profiles that specify how to insert different types of binary and XML security tokens in WS-Security headers for authentication and authorization purposes.

For more information, see:

Username Token

The username token carries basic authentication information. The username-token element propagates username and password information to authenticate the message.

For more information, see:

X.509 Certificate

An X.509 digital certificate is a signed data structure designed to send a public key to a receiving party. A certificate includes standard fields such as certificate ID, issuer's Distinguished Name (DN), validity period, owner's DN, owner's public key, and so on.

For more information, see:

Kerberos Token

Kerberos token is a cross-platform authentication and single sign-on system. The Kerberos protocol provides mutual authentication between two entities relying on a shared secret (symmetric keys).

For more information, see:

SAML Token

The Security Assertion Markup Language (SAML) is an open framework for sharing security information over the Internet through XML documents.

For more information, see:


A Web service provider may define conditions (or policies) under which a service is to be provided. The WS-Policy framework enables one to specify policy information that can be processed by web services applications, such as Oracle WSM.

For more information, see:


WS-SecurityPolicy defines a set of security policy assertions used in the context of the WS-Policy framework. WS-SecurityPolicy assertions describe how messages are secured on a communication path.

For more information, see:

Web Services Addressing (WS-Addressing)

SOAP does not provide a standard way to specify where a message is going or how responses or faults are returned. WS-Addressing provides an XML framework for identifying web services endpoints and for securing end-to-end endpoint identification in messages.

For more information, see:


Defines extensions to WS-Security that provide a framework for requesting and issuing security tokens, and to broker trust relationships. WS-Trust extensions provide methods for issuing, renewing, and validating security tokens.

For more information, see:


WS-ReliableMessaging (WS-RM) defines a framework for identifying and managing the reliable delivery of messages between Web services endpoints.

For more information, see:


The Web Services Secure Conversation Language (WS-SecureConversation) is built on top of the WS-Security and WS-Policy models to provide secure communication between services. This specification defines mechanisms for establishing and sharing security contexts, and deriving keys from security contexts, to enable a secure conversation

For more information, see: